/src/trezor-firmware/crypto/sha2.c
Line | Count | Source (jump to first uncovered line) |
1 | | /** |
2 | | * Copyright (c) 2000-2001 Aaron D. Gifford |
3 | | * Copyright (c) 2013-2014 Pavol Rusnak |
4 | | * All rights reserved. |
5 | | * |
6 | | * Redistribution and use in source and binary forms, with or without |
7 | | * modification, are permitted provided that the following conditions |
8 | | * are met: |
9 | | * 1. Redistributions of source code must retain the above copyright |
10 | | * notice, this list of conditions and the following disclaimer. |
11 | | * 2. Redistributions in binary form must reproduce the above copyright |
12 | | * notice, this list of conditions and the following disclaimer in the |
13 | | * documentation and/or other materials provided with the distribution. |
14 | | * 3. Neither the name of the copyright holder nor the names of contributors |
15 | | * may be used to endorse or promote products derived from this software |
16 | | * without specific prior written permission. |
17 | | * |
18 | | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND |
19 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
20 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
21 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE |
22 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
23 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
24 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
25 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
26 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
27 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
28 | | * SUCH DAMAGE. |
29 | | */ |
30 | | |
31 | | #include <string.h> |
32 | | #include <stdint.h> |
33 | | #include "sha2.h" |
34 | | #include "memzero.h" |
35 | | #include "byte_order.h" |
36 | | |
37 | | /* |
38 | | * ASSERT NOTE: |
39 | | * Some sanity checking code is included using assert(). On my FreeBSD |
40 | | * system, this additional code can be removed by compiling with NDEBUG |
41 | | * defined. Check your own systems manpage on assert() to see how to |
42 | | * compile WITHOUT the sanity checking code on your system. |
43 | | * |
44 | | * UNROLLED TRANSFORM LOOP NOTE: |
45 | | * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform |
46 | | * loop version for the hash transform rounds (defined using macros |
47 | | * later in this file). Either define on the command line, for example: |
48 | | * |
49 | | * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c |
50 | | * |
51 | | * or define below: |
52 | | * |
53 | | * #define SHA2_UNROLL_TRANSFORM |
54 | | * |
55 | | */ |
56 | | |
57 | | |
58 | | /*** SHA-256/384/512 Machine Architecture Definitions *****************/ |
59 | | /* |
60 | | * BYTE_ORDER NOTE: |
61 | | * |
62 | | * Please make sure that your system defines BYTE_ORDER. If your |
63 | | * architecture is little-endian, make sure it also defines |
64 | | * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are |
65 | | * equivilent. |
66 | | * |
67 | | * If your system does not define the above, then you can do so by |
68 | | * hand like this: |
69 | | * |
70 | | * #define LITTLE_ENDIAN 1234 |
71 | | * #define BIG_ENDIAN 4321 |
72 | | * |
73 | | * And for little-endian machines, add: |
74 | | * |
75 | | * #define BYTE_ORDER LITTLE_ENDIAN |
76 | | * |
77 | | * Or for big-endian machines: |
78 | | * |
79 | | * #define BYTE_ORDER BIG_ENDIAN |
80 | | * |
81 | | * The FreeBSD machine this was written on defines BYTE_ORDER |
82 | | * appropriately by including <sys/types.h> (which in turn includes |
83 | | * <machine/endian.h> where the appropriate definitions are actually |
84 | | * made). |
85 | | */ |
86 | | |
87 | | #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) |
88 | | #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN |
89 | | #endif |
90 | | |
91 | | typedef uint8_t sha2_byte; /* Exactly 1 byte */ |
92 | | typedef uint32_t sha2_word32; /* Exactly 4 bytes */ |
93 | | typedef uint64_t sha2_word64; /* Exactly 8 bytes */ |
94 | | |
95 | | /*** SHA-256/384/512 Various Length Definitions ***********************/ |
96 | | /* NOTE: Most of these are in sha2.h */ |
97 | 72 | #define SHA1_SHORT_BLOCK_LENGTH (SHA1_BLOCK_LENGTH - 8) |
98 | 4.88k | #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) |
99 | 2.12k | #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) |
100 | | |
101 | | /* |
102 | | * Macro for incrementally adding the unsigned 64-bit integer n to the |
103 | | * unsigned 128-bit integer (represented using a two-element array of |
104 | | * 64-bit words): |
105 | | */ |
106 | 74.6k | #define ADDINC128(w,n) { \ |
107 | 74.6k | (w)[0] += (sha2_word64)(n); \ |
108 | 74.6k | if ((w)[0] < (n)) { \ |
109 | 0 | (w)[1]++; \ |
110 | 0 | } \ |
111 | 74.6k | } |
112 | | |
113 | 306k | #define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l)) |
114 | | |
115 | | /*** THE SIX LOGICAL FUNCTIONS ****************************************/ |
116 | | /* |
117 | | * Bit shifting and rotation (used by the six SHA-XYZ logical functions: |
118 | | * |
119 | | * NOTE: In the original SHA-256/384/512 document, the shift-right |
120 | | * function was named R and the rotate-right function was called S. |
121 | | * (See: http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf on the |
122 | | * web.) |
123 | | * |
124 | | * The newer NIST FIPS 180-2 document uses a much clearer naming |
125 | | * scheme, SHR for shift-right, ROTR for rotate-right, and ROTL for |
126 | | * rotate-left. (See: |
127 | | * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf |
128 | | * on the web.) |
129 | | * |
130 | | * WARNING: These macros must be used cautiously, since they reference |
131 | | * supplied parameters sometimes more than once, and thus could have |
132 | | * unexpected side-effects if used without taking this into account. |
133 | | */ |
134 | | |
135 | | /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ |
136 | 27.0M | #define SHR(b,x) ((x) >> (b)) |
137 | | /* 32-bit Rotate-right (used in SHA-256): */ |
138 | 103M | #define ROTR32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) |
139 | | /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ |
140 | 56.5M | #define ROTR64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) |
141 | | /* 32-bit Rotate-left (used in SHA-1): */ |
142 | 12.2M | #define ROTL32(b,x) (((x) << (b)) | ((x) >> (32 - (b)))) |
143 | | |
144 | | /* Two of six logical functions used in SHA-1, SHA-256, SHA-384, and SHA-512: */ |
145 | 18.7M | #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) |
146 | 18.7M | #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) |
147 | | |
148 | | /* Function used in SHA-1: */ |
149 | 2.18M | #define Parity(x,y,z) ((x) ^ (y) ^ (z)) |
150 | | |
151 | | /* Four of six logical functions used in SHA-256: */ |
152 | 11.4M | #define Sigma0_256(x) (ROTR32(2, (x)) ^ ROTR32(13, (x)) ^ ROTR32(22, (x))) |
153 | 11.4M | #define Sigma1_256(x) (ROTR32(6, (x)) ^ ROTR32(11, (x)) ^ ROTR32(25, (x))) |
154 | 8.62M | #define sigma0_256(x) (ROTR32(7, (x)) ^ ROTR32(18, (x)) ^ SHR(3 , (x))) |
155 | 8.62M | #define sigma1_256(x) (ROTR32(17, (x)) ^ ROTR32(19, (x)) ^ SHR(10, (x))) |
156 | | |
157 | | /* Four of six logical functions used in SHA-384 and SHA-512: */ |
158 | 6.14M | #define Sigma0_512(x) (ROTR64(28, (x)) ^ ROTR64(34, (x)) ^ ROTR64(39, (x))) |
159 | 6.14M | #define Sigma1_512(x) (ROTR64(14, (x)) ^ ROTR64(18, (x)) ^ ROTR64(41, (x))) |
160 | 4.91M | #define sigma0_512(x) (ROTR64( 1, (x)) ^ ROTR64( 8, (x)) ^ SHR( 7, (x))) |
161 | 4.91M | #define sigma1_512(x) (ROTR64(19, (x)) ^ ROTR64(61, (x)) ^ SHR( 6, (x))) |
162 | | |
163 | | /*** INTERNAL FUNCTION PROTOTYPES *************************************/ |
164 | | /* NOTE: These should not be accessed directly from outside this |
165 | | * library -- they are intended for private internal visibility/use |
166 | | * only. |
167 | | */ |
168 | | static void sha512_Last(SHA512_CTX*); |
169 | | |
170 | | |
171 | | /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ |
172 | | |
173 | | /* Hash constant words K for SHA-1: */ |
174 | 1.09M | #define K1_0_TO_19 0x5a827999UL |
175 | 1.09M | #define K1_20_TO_39 0x6ed9eba1UL |
176 | 1.09M | #define K1_40_TO_59 0x8f1bbcdcUL |
177 | 1.09M | #define K1_60_TO_79 0xca62c1d6UL |
178 | | |
179 | | /* Initial hash value H for SHA-1: */ |
180 | | const sha2_word32 sha1_initial_hash_value[SHA1_DIGEST_LENGTH / sizeof(sha2_word32)] = { |
181 | | 0x67452301UL, |
182 | | 0xefcdab89UL, |
183 | | 0x98badcfeUL, |
184 | | 0x10325476UL, |
185 | | 0xc3d2e1f0UL |
186 | | }; |
187 | | |
188 | | /* Hash constant words K for SHA-256: */ |
189 | | static const sha2_word32 K256[64] = { |
190 | | 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, |
191 | | 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, |
192 | | 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, |
193 | | 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, |
194 | | 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, |
195 | | 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, |
196 | | 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, |
197 | | 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, |
198 | | 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, |
199 | | 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, |
200 | | 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, |
201 | | 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, |
202 | | 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, |
203 | | 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, |
204 | | 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, |
205 | | 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL |
206 | | }; |
207 | | |
208 | | /* Initial hash value H for SHA-256: */ |
209 | | const sha2_word32 sha256_initial_hash_value[8] = { |
210 | | 0x6a09e667UL, |
211 | | 0xbb67ae85UL, |
212 | | 0x3c6ef372UL, |
213 | | 0xa54ff53aUL, |
214 | | 0x510e527fUL, |
215 | | 0x9b05688cUL, |
216 | | 0x1f83d9abUL, |
217 | | 0x5be0cd19UL |
218 | | }; |
219 | | |
220 | | /* Hash constant words K for SHA-384 and SHA-512: */ |
221 | | static const sha2_word64 K512[80] = { |
222 | | 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, |
223 | | 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, |
224 | | 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, |
225 | | 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, |
226 | | 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, |
227 | | 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, |
228 | | 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, |
229 | | 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, |
230 | | 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, |
231 | | 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, |
232 | | 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, |
233 | | 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, |
234 | | 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, |
235 | | 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, |
236 | | 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, |
237 | | 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, |
238 | | 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, |
239 | | 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, |
240 | | 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, |
241 | | 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, |
242 | | 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, |
243 | | 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, |
244 | | 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, |
245 | | 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, |
246 | | 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, |
247 | | 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, |
248 | | 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, |
249 | | 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, |
250 | | 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, |
251 | | 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, |
252 | | 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, |
253 | | 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, |
254 | | 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, |
255 | | 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, |
256 | | 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, |
257 | | 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, |
258 | | 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, |
259 | | 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, |
260 | | 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, |
261 | | 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL |
262 | | }; |
263 | | |
264 | | /* Initial hash value H for SHA-512 */ |
265 | | const sha2_word64 sha512_initial_hash_value[8] = { |
266 | | 0x6a09e667f3bcc908ULL, |
267 | | 0xbb67ae8584caa73bULL, |
268 | | 0x3c6ef372fe94f82bULL, |
269 | | 0xa54ff53a5f1d36f1ULL, |
270 | | 0x510e527fade682d1ULL, |
271 | | 0x9b05688c2b3e6c1fULL, |
272 | | 0x1f83d9abfb41bd6bULL, |
273 | | 0x5be0cd19137e2179ULL |
274 | | }; |
275 | | |
276 | | /* Initial hash value H for SHA-384 */ |
277 | | const sha2_word64 sha384_initial_hash_value[8] = { |
278 | | 0xcbbb9d5dc1059ed8ULL, |
279 | | 0x629a292a367cd507ULL, |
280 | | 0x9159015a3070dd17ULL, |
281 | | 0x152fecd8f70e5939ULL, |
282 | | 0x67332667ffc00b31ULL, |
283 | | 0x8eb44a8768581511ULL, |
284 | | 0xdb0c2e0d64f98fa7ULL, |
285 | | 0x47b5481dbefa4fa4ULL |
286 | | }; |
287 | | |
288 | | /* |
289 | | * Constant used by SHA256/384/512_End() functions for converting the |
290 | | * digest to a readable hexadecimal character string: |
291 | | */ |
292 | | static const char *sha2_hex_digits = "0123456789abcdef"; |
293 | | |
294 | | |
295 | | /*** SHA-1: ***********************************************************/ |
296 | 36 | void sha1_Init(SHA1_CTX* context) { |
297 | 36 | MEMCPY_BCOPY(context->state, sha1_initial_hash_value, SHA1_DIGEST_LENGTH); |
298 | 36 | memzero(context->buffer, SHA1_BLOCK_LENGTH); |
299 | 36 | context->bitcount = 0; |
300 | 36 | } |
301 | | |
302 | | #ifdef SHA2_UNROLL_TRANSFORM |
303 | | |
304 | | /* Unrolled SHA-1 round macros: */ |
305 | | |
306 | | #define ROUND1_0_TO_15(a,b,c,d,e) \ |
307 | | (e) = ROTL32(5, (a)) + Ch((b), (c), (d)) + (e) + \ |
308 | | K1_0_TO_19 + ( W1[j] = *data++ ); \ |
309 | | (b) = ROTL32(30, (b)); \ |
310 | | j++; |
311 | | |
312 | | #define ROUND1_16_TO_19(a,b,c,d,e) \ |
313 | | T1 = W1[(j+13)&0x0f] ^ W1[(j+8)&0x0f] ^ W1[(j+2)&0x0f] ^ W1[j&0x0f]; \ |
314 | | (e) = ROTL32(5, a) + Ch(b,c,d) + e + K1_0_TO_19 + ( W1[j&0x0f] = ROTL32(1, T1) ); \ |
315 | | (b) = ROTL32(30, b); \ |
316 | | j++; |
317 | | |
318 | | #define ROUND1_20_TO_39(a,b,c,d,e) \ |
319 | | T1 = W1[(j+13)&0x0f] ^ W1[(j+8)&0x0f] ^ W1[(j+2)&0x0f] ^ W1[j&0x0f]; \ |
320 | | (e) = ROTL32(5, a) + Parity(b,c,d) + e + K1_20_TO_39 + ( W1[j&0x0f] = ROTL32(1, T1) ); \ |
321 | | (b) = ROTL32(30, b); \ |
322 | | j++; |
323 | | |
324 | | #define ROUND1_40_TO_59(a,b,c,d,e) \ |
325 | | T1 = W1[(j+13)&0x0f] ^ W1[(j+8)&0x0f] ^ W1[(j+2)&0x0f] ^ W1[j&0x0f]; \ |
326 | | (e) = ROTL32(5, a) + Maj(b,c,d) + e + K1_40_TO_59 + ( W1[j&0x0f] = ROTL32(1, T1) ); \ |
327 | | (b) = ROTL32(30, b); \ |
328 | | j++; |
329 | | |
330 | | #define ROUND1_60_TO_79(a,b,c,d,e) \ |
331 | | T1 = W1[(j+13)&0x0f] ^ W1[(j+8)&0x0f] ^ W1[(j+2)&0x0f] ^ W1[j&0x0f]; \ |
332 | | (e) = ROTL32(5, a) + Parity(b,c,d) + e + K1_60_TO_79 + ( W1[j&0x0f] = ROTL32(1, T1) ); \ |
333 | | (b) = ROTL32(30, b); \ |
334 | | j++; |
335 | | |
336 | | void sha1_Transform(const sha2_word32* state_in, const sha2_word32* data, sha2_word32* state_out) { |
337 | | sha2_word32 a = 0, b = 0, c = 0, d = 0, e = 0; |
338 | | sha2_word32 T1 = 0; |
339 | | sha2_word32 W1[16] = {0}; |
340 | | int j = 0; |
341 | | |
342 | | /* Initialize registers with the prev. intermediate value */ |
343 | | a = state_in[0]; |
344 | | b = state_in[1]; |
345 | | c = state_in[2]; |
346 | | d = state_in[3]; |
347 | | e = state_in[4]; |
348 | | |
349 | | j = 0; |
350 | | |
351 | | /* Rounds 0 to 15 unrolled: */ |
352 | | ROUND1_0_TO_15(a,b,c,d,e); |
353 | | ROUND1_0_TO_15(e,a,b,c,d); |
354 | | ROUND1_0_TO_15(d,e,a,b,c); |
355 | | ROUND1_0_TO_15(c,d,e,a,b); |
356 | | ROUND1_0_TO_15(b,c,d,e,a); |
357 | | ROUND1_0_TO_15(a,b,c,d,e); |
358 | | ROUND1_0_TO_15(e,a,b,c,d); |
359 | | ROUND1_0_TO_15(d,e,a,b,c); |
360 | | ROUND1_0_TO_15(c,d,e,a,b); |
361 | | ROUND1_0_TO_15(b,c,d,e,a); |
362 | | ROUND1_0_TO_15(a,b,c,d,e); |
363 | | ROUND1_0_TO_15(e,a,b,c,d); |
364 | | ROUND1_0_TO_15(d,e,a,b,c); |
365 | | ROUND1_0_TO_15(c,d,e,a,b); |
366 | | ROUND1_0_TO_15(b,c,d,e,a); |
367 | | ROUND1_0_TO_15(a,b,c,d,e); |
368 | | |
369 | | /* Rounds 16 to 19 unrolled: */ |
370 | | ROUND1_16_TO_19(e,a,b,c,d); |
371 | | ROUND1_16_TO_19(d,e,a,b,c); |
372 | | ROUND1_16_TO_19(c,d,e,a,b); |
373 | | ROUND1_16_TO_19(b,c,d,e,a); |
374 | | |
375 | | /* Rounds 20 to 39 unrolled: */ |
376 | | ROUND1_20_TO_39(a,b,c,d,e); |
377 | | ROUND1_20_TO_39(e,a,b,c,d); |
378 | | ROUND1_20_TO_39(d,e,a,b,c); |
379 | | ROUND1_20_TO_39(c,d,e,a,b); |
380 | | ROUND1_20_TO_39(b,c,d,e,a); |
381 | | ROUND1_20_TO_39(a,b,c,d,e); |
382 | | ROUND1_20_TO_39(e,a,b,c,d); |
383 | | ROUND1_20_TO_39(d,e,a,b,c); |
384 | | ROUND1_20_TO_39(c,d,e,a,b); |
385 | | ROUND1_20_TO_39(b,c,d,e,a); |
386 | | ROUND1_20_TO_39(a,b,c,d,e); |
387 | | ROUND1_20_TO_39(e,a,b,c,d); |
388 | | ROUND1_20_TO_39(d,e,a,b,c); |
389 | | ROUND1_20_TO_39(c,d,e,a,b); |
390 | | ROUND1_20_TO_39(b,c,d,e,a); |
391 | | ROUND1_20_TO_39(a,b,c,d,e); |
392 | | ROUND1_20_TO_39(e,a,b,c,d); |
393 | | ROUND1_20_TO_39(d,e,a,b,c); |
394 | | ROUND1_20_TO_39(c,d,e,a,b); |
395 | | ROUND1_20_TO_39(b,c,d,e,a); |
396 | | |
397 | | /* Rounds 40 to 59 unrolled: */ |
398 | | ROUND1_40_TO_59(a,b,c,d,e); |
399 | | ROUND1_40_TO_59(e,a,b,c,d); |
400 | | ROUND1_40_TO_59(d,e,a,b,c); |
401 | | ROUND1_40_TO_59(c,d,e,a,b); |
402 | | ROUND1_40_TO_59(b,c,d,e,a); |
403 | | ROUND1_40_TO_59(a,b,c,d,e); |
404 | | ROUND1_40_TO_59(e,a,b,c,d); |
405 | | ROUND1_40_TO_59(d,e,a,b,c); |
406 | | ROUND1_40_TO_59(c,d,e,a,b); |
407 | | ROUND1_40_TO_59(b,c,d,e,a); |
408 | | ROUND1_40_TO_59(a,b,c,d,e); |
409 | | ROUND1_40_TO_59(e,a,b,c,d); |
410 | | ROUND1_40_TO_59(d,e,a,b,c); |
411 | | ROUND1_40_TO_59(c,d,e,a,b); |
412 | | ROUND1_40_TO_59(b,c,d,e,a); |
413 | | ROUND1_40_TO_59(a,b,c,d,e); |
414 | | ROUND1_40_TO_59(e,a,b,c,d); |
415 | | ROUND1_40_TO_59(d,e,a,b,c); |
416 | | ROUND1_40_TO_59(c,d,e,a,b); |
417 | | ROUND1_40_TO_59(b,c,d,e,a); |
418 | | |
419 | | /* Rounds 60 to 79 unrolled: */ |
420 | | ROUND1_60_TO_79(a,b,c,d,e); |
421 | | ROUND1_60_TO_79(e,a,b,c,d); |
422 | | ROUND1_60_TO_79(d,e,a,b,c); |
423 | | ROUND1_60_TO_79(c,d,e,a,b); |
424 | | ROUND1_60_TO_79(b,c,d,e,a); |
425 | | ROUND1_60_TO_79(a,b,c,d,e); |
426 | | ROUND1_60_TO_79(e,a,b,c,d); |
427 | | ROUND1_60_TO_79(d,e,a,b,c); |
428 | | ROUND1_60_TO_79(c,d,e,a,b); |
429 | | ROUND1_60_TO_79(b,c,d,e,a); |
430 | | ROUND1_60_TO_79(a,b,c,d,e); |
431 | | ROUND1_60_TO_79(e,a,b,c,d); |
432 | | ROUND1_60_TO_79(d,e,a,b,c); |
433 | | ROUND1_60_TO_79(c,d,e,a,b); |
434 | | ROUND1_60_TO_79(b,c,d,e,a); |
435 | | ROUND1_60_TO_79(a,b,c,d,e); |
436 | | ROUND1_60_TO_79(e,a,b,c,d); |
437 | | ROUND1_60_TO_79(d,e,a,b,c); |
438 | | ROUND1_60_TO_79(c,d,e,a,b); |
439 | | ROUND1_60_TO_79(b,c,d,e,a); |
440 | | |
441 | | /* Compute the current intermediate hash value */ |
442 | | state_out[0] = state_in[0] + a; |
443 | | state_out[1] = state_in[1] + b; |
444 | | state_out[2] = state_in[2] + c; |
445 | | state_out[3] = state_in[3] + d; |
446 | | state_out[4] = state_in[4] + e; |
447 | | |
448 | | /* Clean up */ |
449 | | a = b = c = d = e = T1 = 0; |
450 | | } |
451 | | |
452 | | #else /* SHA2_UNROLL_TRANSFORM */ |
453 | | |
454 | 54.5k | void sha1_Transform(const sha2_word32* state_in, const sha2_word32* data, sha2_word32* state_out) { |
455 | 54.5k | sha2_word32 a = 0, b = 0, c = 0, d = 0, e = 0; |
456 | 54.5k | sha2_word32 T1 = 0; |
457 | 54.5k | sha2_word32 W1[16] = {0}; |
458 | 54.5k | int j = 0; |
459 | | |
460 | | /* Initialize registers with the prev. intermediate value */ |
461 | 54.5k | a = state_in[0]; |
462 | 54.5k | b = state_in[1]; |
463 | 54.5k | c = state_in[2]; |
464 | 54.5k | d = state_in[3]; |
465 | 54.5k | e = state_in[4]; |
466 | 54.5k | j = 0; |
467 | 873k | do { |
468 | 873k | T1 = ROTL32(5, a) + Ch(b, c, d) + e + K1_0_TO_19 + (W1[j] = *data++); |
469 | 873k | e = d; |
470 | 873k | d = c; |
471 | 873k | c = ROTL32(30, b); |
472 | 873k | b = a; |
473 | 873k | a = T1; |
474 | 873k | j++; |
475 | 873k | } while (j < 16); |
476 | | |
477 | 218k | do { |
478 | 218k | T1 = W1[(j+13)&0x0f] ^ W1[(j+8)&0x0f] ^ W1[(j+2)&0x0f] ^ W1[j&0x0f]; |
479 | 218k | T1 = ROTL32(5, a) + Ch(b,c,d) + e + K1_0_TO_19 + (W1[j&0x0f] = ROTL32(1, T1)); |
480 | 218k | e = d; |
481 | 218k | d = c; |
482 | 218k | c = ROTL32(30, b); |
483 | 218k | b = a; |
484 | 218k | a = T1; |
485 | 218k | j++; |
486 | 218k | } while (j < 20); |
487 | | |
488 | 1.09M | do { |
489 | 1.09M | T1 = W1[(j+13)&0x0f] ^ W1[(j+8)&0x0f] ^ W1[(j+2)&0x0f] ^ W1[j&0x0f]; |
490 | 1.09M | T1 = ROTL32(5, a) + Parity(b,c,d) + e + K1_20_TO_39 + (W1[j&0x0f] = ROTL32(1, T1)); |
491 | 1.09M | e = d; |
492 | 1.09M | d = c; |
493 | 1.09M | c = ROTL32(30, b); |
494 | 1.09M | b = a; |
495 | 1.09M | a = T1; |
496 | 1.09M | j++; |
497 | 1.09M | } while (j < 40); |
498 | | |
499 | 1.09M | do { |
500 | 1.09M | T1 = W1[(j+13)&0x0f] ^ W1[(j+8)&0x0f] ^ W1[(j+2)&0x0f] ^ W1[j&0x0f]; |
501 | 1.09M | T1 = ROTL32(5, a) + Maj(b,c,d) + e + K1_40_TO_59 + (W1[j&0x0f] = ROTL32(1, T1)); |
502 | 1.09M | e = d; |
503 | 1.09M | d = c; |
504 | 1.09M | c = ROTL32(30, b); |
505 | 1.09M | b = a; |
506 | 1.09M | a = T1; |
507 | 1.09M | j++; |
508 | 1.09M | } while (j < 60); |
509 | | |
510 | 1.09M | do { |
511 | 1.09M | T1 = W1[(j+13)&0x0f] ^ W1[(j+8)&0x0f] ^ W1[(j+2)&0x0f] ^ W1[j&0x0f]; |
512 | 1.09M | T1 = ROTL32(5, a) + Parity(b,c,d) + e + K1_60_TO_79 + (W1[j&0x0f] = ROTL32(1, T1)); |
513 | 1.09M | e = d; |
514 | 1.09M | d = c; |
515 | 1.09M | c = ROTL32(30, b); |
516 | 1.09M | b = a; |
517 | 1.09M | a = T1; |
518 | 1.09M | j++; |
519 | 1.09M | } while (j < 80); |
520 | | |
521 | | |
522 | | /* Compute the current intermediate hash value */ |
523 | 54.5k | state_out[0] = state_in[0] + a; |
524 | 54.5k | state_out[1] = state_in[1] + b; |
525 | 54.5k | state_out[2] = state_in[2] + c; |
526 | 54.5k | state_out[3] = state_in[3] + d; |
527 | 54.5k | state_out[4] = state_in[4] + e; |
528 | | |
529 | | /* Clean up */ |
530 | 54.5k | a = b = c = d = e = T1 = 0; |
531 | 54.5k | } |
532 | | |
533 | | #endif /* SHA2_UNROLL_TRANSFORM */ |
534 | | |
535 | 21.0k | void sha1_Update(SHA1_CTX* context, const sha2_byte *data, size_t len) { |
536 | 21.0k | unsigned int freespace = 0, usedspace = 0; |
537 | | |
538 | 21.0k | if (len == 0) { |
539 | | /* Calling with no data is valid - we do nothing */ |
540 | 20.6k | return; |
541 | 20.6k | } |
542 | | |
543 | 418 | usedspace = (context->bitcount >> 3) % SHA1_BLOCK_LENGTH; |
544 | 418 | if (usedspace > 0) { |
545 | | /* Calculate how much free space is available in the buffer */ |
546 | 375 | freespace = SHA1_BLOCK_LENGTH - usedspace; |
547 | | |
548 | 375 | if (len >= freespace) { |
549 | | /* Fill the buffer completely and process it */ |
550 | 211 | MEMCPY_BCOPY(((uint8_t*)context->buffer) + usedspace, data, freespace); |
551 | 211 | context->bitcount += freespace << 3; |
552 | 211 | len -= freespace; |
553 | 211 | data += freespace; |
554 | 211 | #if BYTE_ORDER == LITTLE_ENDIAN |
555 | | /* Convert TO host byte order */ |
556 | 3.58k | for (int j = 0; j < 16; j++) { |
557 | 3.37k | REVERSE32(context->buffer[j],context->buffer[j]); |
558 | 3.37k | } |
559 | 211 | #endif |
560 | 211 | sha1_Transform(context->state, context->buffer, context->state); |
561 | 211 | } else { |
562 | | /* The buffer is not yet full */ |
563 | 164 | MEMCPY_BCOPY(((uint8_t*)context->buffer) + usedspace, data, len); |
564 | 164 | context->bitcount += len << 3; |
565 | | /* Clean up: */ |
566 | 164 | usedspace = freespace = 0; |
567 | 164 | return; |
568 | 164 | } |
569 | 375 | } |
570 | 54.5k | while (len >= SHA1_BLOCK_LENGTH) { |
571 | | /* Process as many complete blocks as we can */ |
572 | 54.3k | MEMCPY_BCOPY(context->buffer, data, SHA1_BLOCK_LENGTH); |
573 | 54.3k | #if BYTE_ORDER == LITTLE_ENDIAN |
574 | | /* Convert TO host byte order */ |
575 | 923k | for (int j = 0; j < 16; j++) { |
576 | 869k | REVERSE32(context->buffer[j],context->buffer[j]); |
577 | 869k | } |
578 | 54.3k | #endif |
579 | 54.3k | sha1_Transform(context->state, context->buffer, context->state); |
580 | 54.3k | context->bitcount += SHA1_BLOCK_LENGTH << 3; |
581 | 54.3k | len -= SHA1_BLOCK_LENGTH; |
582 | 54.3k | data += SHA1_BLOCK_LENGTH; |
583 | 54.3k | } |
584 | 254 | if (len > 0) { |
585 | | /* There's left-overs, so save 'em */ |
586 | 247 | MEMCPY_BCOPY(context->buffer, data, len); |
587 | 247 | context->bitcount += len << 3; |
588 | 247 | } |
589 | | /* Clean up: */ |
590 | 254 | usedspace = freespace = 0; |
591 | 254 | } |
592 | | |
593 | 36 | void sha1_Final(SHA1_CTX* context, sha2_byte digest[SHA1_DIGEST_LENGTH]) { |
594 | 36 | unsigned int usedspace = 0; |
595 | | |
596 | | /* If no digest buffer is passed, we don't bother doing this: */ |
597 | 36 | if (digest != (sha2_byte*)0) { |
598 | 36 | usedspace = (context->bitcount >> 3) % SHA1_BLOCK_LENGTH; |
599 | | /* Begin padding with a 1 bit: */ |
600 | 36 | ((uint8_t*)context->buffer)[usedspace++] = 0x80; |
601 | | |
602 | 36 | if (usedspace > SHA1_SHORT_BLOCK_LENGTH) { |
603 | 6 | memzero(((uint8_t*)context->buffer) + usedspace, SHA1_BLOCK_LENGTH - usedspace); |
604 | | |
605 | 6 | #if BYTE_ORDER == LITTLE_ENDIAN |
606 | | /* Convert TO host byte order */ |
607 | 102 | for (int j = 0; j < 16; j++) { |
608 | 96 | REVERSE32(context->buffer[j],context->buffer[j]); |
609 | 96 | } |
610 | 6 | #endif |
611 | | /* Do second-to-last transform: */ |
612 | 6 | sha1_Transform(context->state, context->buffer, context->state); |
613 | | |
614 | | /* And prepare the last transform: */ |
615 | 6 | usedspace = 0; |
616 | 6 | } |
617 | | /* Set-up for the last transform: */ |
618 | 36 | memzero(((uint8_t*)context->buffer) + usedspace, SHA1_SHORT_BLOCK_LENGTH - usedspace); |
619 | | |
620 | 36 | #if BYTE_ORDER == LITTLE_ENDIAN |
621 | | /* Convert TO host byte order */ |
622 | 540 | for (int j = 0; j < 14; j++) { |
623 | 504 | REVERSE32(context->buffer[j],context->buffer[j]); |
624 | 504 | } |
625 | 36 | #endif |
626 | | /* Set the bit count: */ |
627 | 36 | context->buffer[14] = context->bitcount >> 32; |
628 | 36 | context->buffer[15] = context->bitcount & 0xffffffff; |
629 | | |
630 | | /* Final transform: */ |
631 | 36 | sha1_Transform(context->state, context->buffer, context->state); |
632 | | |
633 | 36 | #if BYTE_ORDER == LITTLE_ENDIAN |
634 | | /* Convert FROM host byte order */ |
635 | 216 | for (int j = 0; j < 5; j++) { |
636 | 180 | REVERSE32(context->state[j],context->state[j]); |
637 | 180 | } |
638 | 36 | #endif |
639 | 36 | MEMCPY_BCOPY(digest, context->state, SHA1_DIGEST_LENGTH); |
640 | 36 | } |
641 | | |
642 | | /* Clean up state data: */ |
643 | 36 | memzero(context, sizeof(SHA1_CTX)); |
644 | 36 | usedspace = 0; |
645 | 36 | } |
646 | | |
647 | 0 | char *sha1_End(SHA1_CTX* context, char buffer[SHA1_DIGEST_STRING_LENGTH]) { |
648 | 0 | sha2_byte digest[SHA1_DIGEST_LENGTH] = {0}, *d = digest; |
649 | 0 | int i = 0; |
650 | |
|
651 | 0 | if (buffer != (char*)0) { |
652 | 0 | sha1_Final(context, digest); |
653 | |
|
654 | 0 | for (i = 0; i < SHA1_DIGEST_LENGTH; i++) { |
655 | 0 | *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; |
656 | 0 | *buffer++ = sha2_hex_digits[*d & 0x0f]; |
657 | 0 | d++; |
658 | 0 | } |
659 | 0 | *buffer = (char)0; |
660 | 0 | } else { |
661 | 0 | memzero(context, sizeof(SHA1_CTX)); |
662 | 0 | } |
663 | 0 | memzero(digest, SHA1_DIGEST_LENGTH); |
664 | 0 | return buffer; |
665 | 0 | } |
666 | | |
667 | 0 | void sha1_Raw(const sha2_byte* data, size_t len, uint8_t digest[SHA1_DIGEST_LENGTH]) { |
668 | 0 | SHA1_CTX context = {0}; |
669 | 0 | sha1_Init(&context); |
670 | 0 | sha1_Update(&context, data, len); |
671 | 0 | sha1_Final(&context, digest); |
672 | 0 | } |
673 | | |
674 | 0 | char* sha1_Data(const sha2_byte* data, size_t len, char digest[SHA1_DIGEST_STRING_LENGTH]) { |
675 | 0 | SHA1_CTX context = {0}; |
676 | |
|
677 | 0 | sha1_Init(&context); |
678 | 0 | sha1_Update(&context, data, len); |
679 | 0 | return sha1_End(&context, digest); |
680 | 0 | } |
681 | | |
682 | | /*** SHA-256: *********************************************************/ |
683 | 1.02k | void sha256_Init(SHA256_CTX* context) { |
684 | 1.02k | if (context == (SHA256_CTX*)0) { |
685 | 0 | return; |
686 | 0 | } |
687 | 1.02k | MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH); |
688 | 1.02k | memzero(context->buffer, SHA256_BLOCK_LENGTH); |
689 | 1.02k | context->bitcount = 0; |
690 | 1.02k | } |
691 | | |
692 | 0 | void sha256_Init_ex(SHA256_CTX *context, const uint32_t state[8], uint64_t bitcount) { |
693 | 0 | if (context == (SHA256_CTX*)0) { |
694 | 0 | return; |
695 | 0 | } |
696 | 0 | MEMCPY_BCOPY(context->state, state, SHA256_DIGEST_LENGTH); |
697 | 0 | memzero(context->buffer, SHA256_BLOCK_LENGTH); |
698 | 0 | context->bitcount = bitcount; |
699 | 0 | } |
700 | | |
701 | | #ifdef SHA2_UNROLL_TRANSFORM |
702 | | |
703 | | /* Unrolled SHA-256 round macros: */ |
704 | | |
705 | | #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ |
706 | | T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ |
707 | | K256[j] + (W256[j] = *data++); \ |
708 | | (d) += T1; \ |
709 | | (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ |
710 | | j++ |
711 | | |
712 | | #define ROUND256(a,b,c,d,e,f,g,h) \ |
713 | | s0 = W256[(j+1)&0x0f]; \ |
714 | | s0 = sigma0_256(s0); \ |
715 | | s1 = W256[(j+14)&0x0f]; \ |
716 | | s1 = sigma1_256(s1); \ |
717 | | T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \ |
718 | | (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ |
719 | | (d) += T1; \ |
720 | | (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ |
721 | | j++ |
722 | | |
723 | | void sha256_Transform(const sha2_word32* state_in, const sha2_word32* data, sha2_word32* state_out) { |
724 | | sha2_word32 a = 0, b = 0, c = 0, d = 0, e = 0, f = 0, g = 0, h = 0, s0 = 0, s1 = 0; |
725 | | sha2_word32 T1 = 0; |
726 | | sha2_word32 W256[16] = {0}; |
727 | | int j = 0; |
728 | | |
729 | | /* Initialize registers with the prev. intermediate value */ |
730 | | a = state_in[0]; |
731 | | b = state_in[1]; |
732 | | c = state_in[2]; |
733 | | d = state_in[3]; |
734 | | e = state_in[4]; |
735 | | f = state_in[5]; |
736 | | g = state_in[6]; |
737 | | h = state_in[7]; |
738 | | |
739 | | j = 0; |
740 | | do { |
741 | | /* Rounds 0 to 15 (unrolled): */ |
742 | | ROUND256_0_TO_15(a,b,c,d,e,f,g,h); |
743 | | ROUND256_0_TO_15(h,a,b,c,d,e,f,g); |
744 | | ROUND256_0_TO_15(g,h,a,b,c,d,e,f); |
745 | | ROUND256_0_TO_15(f,g,h,a,b,c,d,e); |
746 | | ROUND256_0_TO_15(e,f,g,h,a,b,c,d); |
747 | | ROUND256_0_TO_15(d,e,f,g,h,a,b,c); |
748 | | ROUND256_0_TO_15(c,d,e,f,g,h,a,b); |
749 | | ROUND256_0_TO_15(b,c,d,e,f,g,h,a); |
750 | | } while (j < 16); |
751 | | |
752 | | /* Now for the remaining rounds to 64: */ |
753 | | do { |
754 | | ROUND256(a,b,c,d,e,f,g,h); |
755 | | ROUND256(h,a,b,c,d,e,f,g); |
756 | | ROUND256(g,h,a,b,c,d,e,f); |
757 | | ROUND256(f,g,h,a,b,c,d,e); |
758 | | ROUND256(e,f,g,h,a,b,c,d); |
759 | | ROUND256(d,e,f,g,h,a,b,c); |
760 | | ROUND256(c,d,e,f,g,h,a,b); |
761 | | ROUND256(b,c,d,e,f,g,h,a); |
762 | | } while (j < 64); |
763 | | |
764 | | /* Compute the current intermediate hash value */ |
765 | | state_out[0] = state_in[0] + a; |
766 | | state_out[1] = state_in[1] + b; |
767 | | state_out[2] = state_in[2] + c; |
768 | | state_out[3] = state_in[3] + d; |
769 | | state_out[4] = state_in[4] + e; |
770 | | state_out[5] = state_in[5] + f; |
771 | | state_out[6] = state_in[6] + g; |
772 | | state_out[7] = state_in[7] + h; |
773 | | |
774 | | /* Clean up */ |
775 | | a = b = c = d = e = f = g = h = T1 = 0; |
776 | | } |
777 | | |
778 | | #else /* SHA2_UNROLL_TRANSFORM */ |
779 | | |
780 | 179k | void sha256_Transform(const sha2_word32* state_in, const sha2_word32* data, sha2_word32* state_out) { |
781 | 179k | sha2_word32 a = 0, b = 0, c = 0, d = 0, e = 0, f = 0, g = 0, h = 0, s0 = 0, s1 = 0; |
782 | 179k | sha2_word32 T1 = 0, T2 = 0 , W256[16] = {0}; |
783 | 179k | int j = 0; |
784 | | |
785 | | /* Initialize registers with the prev. intermediate value */ |
786 | 179k | a = state_in[0]; |
787 | 179k | b = state_in[1]; |
788 | 179k | c = state_in[2]; |
789 | 179k | d = state_in[3]; |
790 | 179k | e = state_in[4]; |
791 | 179k | f = state_in[5]; |
792 | 179k | g = state_in[6]; |
793 | 179k | h = state_in[7]; |
794 | | |
795 | 179k | j = 0; |
796 | 2.87M | do { |
797 | | /* Apply the SHA-256 compression function to update a..h with copy */ |
798 | 2.87M | T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++); |
799 | 2.87M | T2 = Sigma0_256(a) + Maj(a, b, c); |
800 | 2.87M | h = g; |
801 | 2.87M | g = f; |
802 | 2.87M | f = e; |
803 | 2.87M | e = d + T1; |
804 | 2.87M | d = c; |
805 | 2.87M | c = b; |
806 | 2.87M | b = a; |
807 | 2.87M | a = T1 + T2; |
808 | | |
809 | 2.87M | j++; |
810 | 2.87M | } while (j < 16); |
811 | | |
812 | 8.62M | do { |
813 | | /* Part of the message block expansion: */ |
814 | 8.62M | s0 = W256[(j+1)&0x0f]; |
815 | 8.62M | s0 = sigma0_256(s0); |
816 | 8.62M | s1 = W256[(j+14)&0x0f]; |
817 | 8.62M | s1 = sigma1_256(s1); |
818 | | |
819 | | /* Apply the SHA-256 compression function to update a..h */ |
820 | 8.62M | T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + |
821 | 8.62M | (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); |
822 | 8.62M | T2 = Sigma0_256(a) + Maj(a, b, c); |
823 | 8.62M | h = g; |
824 | 8.62M | g = f; |
825 | 8.62M | f = e; |
826 | 8.62M | e = d + T1; |
827 | 8.62M | d = c; |
828 | 8.62M | c = b; |
829 | 8.62M | b = a; |
830 | 8.62M | a = T1 + T2; |
831 | | |
832 | 8.62M | j++; |
833 | 8.62M | } while (j < 64); |
834 | | |
835 | | /* Compute the current intermediate hash value */ |
836 | 179k | state_out[0] = state_in[0] + a; |
837 | 179k | state_out[1] = state_in[1] + b; |
838 | 179k | state_out[2] = state_in[2] + c; |
839 | 179k | state_out[3] = state_in[3] + d; |
840 | 179k | state_out[4] = state_in[4] + e; |
841 | 179k | state_out[5] = state_in[5] + f; |
842 | 179k | state_out[6] = state_in[6] + g; |
843 | 179k | state_out[7] = state_in[7] + h; |
844 | | |
845 | | /* Clean up */ |
846 | 179k | a = b = c = d = e = f = g = h = T1 = T2 = 0; |
847 | 179k | } |
848 | | |
849 | | #endif /* SHA2_UNROLL_TRANSFORM */ |
850 | | |
851 | 26.0k | void sha256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) { |
852 | 26.0k | unsigned int freespace = 0, usedspace = 0; |
853 | | |
854 | 26.0k | if (len == 0) { |
855 | | /* Calling with no data is valid - we do nothing */ |
856 | 21.5k | return; |
857 | 21.5k | } |
858 | | |
859 | 4.50k | usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; |
860 | 4.50k | if (usedspace > 0) { |
861 | | /* Calculate how much free space is available in the buffer */ |
862 | 2.38k | freespace = SHA256_BLOCK_LENGTH - usedspace; |
863 | | |
864 | 2.38k | if (len >= freespace) { |
865 | | /* Fill the buffer completely and process it */ |
866 | 731 | MEMCPY_BCOPY(((uint8_t*)context->buffer) + usedspace, data, freespace); |
867 | 731 | context->bitcount += freespace << 3; |
868 | 731 | len -= freespace; |
869 | 731 | data += freespace; |
870 | 731 | #if BYTE_ORDER == LITTLE_ENDIAN |
871 | | /* Convert TO host byte order */ |
872 | 12.4k | for (int j = 0; j < 16; j++) { |
873 | 11.6k | REVERSE32(context->buffer[j],context->buffer[j]); |
874 | 11.6k | } |
875 | 731 | #endif |
876 | 731 | sha256_Transform(context->state, context->buffer, context->state); |
877 | 1.64k | } else { |
878 | | /* The buffer is not yet full */ |
879 | 1.64k | MEMCPY_BCOPY(((uint8_t*)context->buffer) + usedspace, data, len); |
880 | 1.64k | context->bitcount += len << 3; |
881 | | /* Clean up: */ |
882 | 1.64k | usedspace = freespace = 0; |
883 | 1.64k | return; |
884 | 1.64k | } |
885 | 2.38k | } |
886 | 169k | while (len >= SHA256_BLOCK_LENGTH) { |
887 | | /* Process as many complete blocks as we can */ |
888 | 166k | MEMCPY_BCOPY(context->buffer, data, SHA256_BLOCK_LENGTH); |
889 | 166k | #if BYTE_ORDER == LITTLE_ENDIAN |
890 | | /* Convert TO host byte order */ |
891 | 2.82M | for (int j = 0; j < 16; j++) { |
892 | 2.66M | REVERSE32(context->buffer[j],context->buffer[j]); |
893 | 2.66M | } |
894 | 166k | #endif |
895 | 166k | sha256_Transform(context->state, context->buffer, context->state); |
896 | 166k | context->bitcount += SHA256_BLOCK_LENGTH << 3; |
897 | 166k | len -= SHA256_BLOCK_LENGTH; |
898 | 166k | data += SHA256_BLOCK_LENGTH; |
899 | 166k | } |
900 | 2.85k | if (len > 0) { |
901 | | /* There's left-overs, so save 'em */ |
902 | 2.74k | MEMCPY_BCOPY(context->buffer, data, len); |
903 | 2.74k | context->bitcount += len << 3; |
904 | 2.74k | } |
905 | | /* Clean up: */ |
906 | 2.85k | usedspace = freespace = 0; |
907 | 2.85k | } |
908 | | |
909 | 2.44k | void sha256_Final(SHA256_CTX* context, sha2_byte digest[SHA256_DIGEST_LENGTH]) { |
910 | 2.44k | unsigned int usedspace = 0; |
911 | | |
912 | | /* If no digest buffer is passed, we don't bother doing this: */ |
913 | 2.44k | if (digest != (sha2_byte*)0) { |
914 | 2.44k | usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; |
915 | | /* Begin padding with a 1 bit: */ |
916 | 2.44k | ((uint8_t*)context->buffer)[usedspace++] = 0x80; |
917 | | |
918 | 2.44k | if (usedspace > SHA256_SHORT_BLOCK_LENGTH) { |
919 | 391 | memzero(((uint8_t*)context->buffer) + usedspace, SHA256_BLOCK_LENGTH - usedspace); |
920 | | |
921 | 391 | #if BYTE_ORDER == LITTLE_ENDIAN |
922 | | /* Convert TO host byte order */ |
923 | 6.64k | for (int j = 0; j < 16; j++) { |
924 | 6.25k | REVERSE32(context->buffer[j],context->buffer[j]); |
925 | 6.25k | } |
926 | 391 | #endif |
927 | | /* Do second-to-last transform: */ |
928 | 391 | sha256_Transform(context->state, context->buffer, context->state); |
929 | | |
930 | | /* And prepare the last transform: */ |
931 | 391 | usedspace = 0; |
932 | 391 | } |
933 | | /* Set-up for the last transform: */ |
934 | 2.44k | memzero(((uint8_t*)context->buffer) + usedspace, SHA256_SHORT_BLOCK_LENGTH - usedspace); |
935 | | |
936 | 2.44k | #if BYTE_ORDER == LITTLE_ENDIAN |
937 | | /* Convert TO host byte order */ |
938 | 36.6k | for (int j = 0; j < 14; j++) { |
939 | 34.1k | REVERSE32(context->buffer[j],context->buffer[j]); |
940 | 34.1k | } |
941 | 2.44k | #endif |
942 | | /* Set the bit count: */ |
943 | 2.44k | context->buffer[14] = context->bitcount >> 32; |
944 | 2.44k | context->buffer[15] = context->bitcount & 0xffffffff; |
945 | | |
946 | | /* Final transform: */ |
947 | 2.44k | sha256_Transform(context->state, context->buffer, context->state); |
948 | | |
949 | 2.44k | #if BYTE_ORDER == LITTLE_ENDIAN |
950 | | /* Convert FROM host byte order */ |
951 | 21.9k | for (int j = 0; j < 8; j++) { |
952 | 19.5k | REVERSE32(context->state[j],context->state[j]); |
953 | 19.5k | } |
954 | 2.44k | #endif |
955 | 2.44k | MEMCPY_BCOPY(digest, context->state, SHA256_DIGEST_LENGTH); |
956 | 2.44k | } |
957 | | |
958 | | /* Clean up state data: */ |
959 | 2.44k | memzero(context, sizeof(SHA256_CTX)); |
960 | 2.44k | usedspace = 0; |
961 | 2.44k | } |
962 | | |
963 | 0 | char *sha256_End(SHA256_CTX* context, char buffer[SHA256_DIGEST_STRING_LENGTH]) { |
964 | 0 | sha2_byte digest[SHA256_DIGEST_LENGTH] = {0}, *d = digest; |
965 | 0 | int i = 0; |
966 | |
|
967 | 0 | if (buffer != (char*)0) { |
968 | 0 | sha256_Final(context, digest); |
969 | |
|
970 | 0 | for (i = 0; i < SHA256_DIGEST_LENGTH; i++) { |
971 | 0 | *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; |
972 | 0 | *buffer++ = sha2_hex_digits[*d & 0x0f]; |
973 | 0 | d++; |
974 | 0 | } |
975 | 0 | *buffer = (char)0; |
976 | 0 | } else { |
977 | 0 | memzero(context, sizeof(SHA256_CTX)); |
978 | 0 | } |
979 | 0 | memzero(digest, SHA256_DIGEST_LENGTH); |
980 | 0 | return buffer; |
981 | 0 | } |
982 | | |
983 | 12 | void sha256_Raw(const sha2_byte* data, size_t len, uint8_t digest[SHA256_DIGEST_LENGTH]) { |
984 | 12 | SHA256_CTX context = {0}; |
985 | 12 | sha256_Init(&context); |
986 | 12 | sha256_Update(&context, data, len); |
987 | 12 | sha256_Final(&context, digest); |
988 | 12 | } |
989 | | |
990 | 0 | char* sha256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) { |
991 | 0 | SHA256_CTX context = {0}; |
992 | |
|
993 | 0 | sha256_Init(&context); |
994 | 0 | sha256_Update(&context, data, len); |
995 | 0 | return sha256_End(&context, digest); |
996 | 0 | } |
997 | | |
998 | | |
999 | | /*** SHA-512 and SHA-384: *********************************************/ |
1000 | 515 | void sha512_Init(SHA512_CTX* context) { |
1001 | 515 | if (context == (SHA512_CTX*)0) { |
1002 | 0 | return; |
1003 | 0 | } |
1004 | 515 | MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH); |
1005 | 515 | memzero(context->buffer, SHA512_BLOCK_LENGTH); |
1006 | 515 | context->bitcount[0] = context->bitcount[1] = 0; |
1007 | 515 | } |
1008 | | |
1009 | 0 | static void sha384_Init(SHA512_CTX* context) { |
1010 | 0 | if (context == (SHA512_CTX*)0) { |
1011 | 0 | return; |
1012 | 0 | } |
1013 | 0 | MEMCPY_BCOPY(context->state, sha384_initial_hash_value, SHA512_DIGEST_LENGTH); |
1014 | 0 | memzero(context->buffer, SHA512_BLOCK_LENGTH); |
1015 | 0 | context->bitcount[0] = context->bitcount[1] = 0; |
1016 | 0 | } |
1017 | | |
1018 | | #ifdef SHA2_UNROLL_TRANSFORM |
1019 | | |
1020 | | /* Unrolled SHA-512 round macros: */ |
1021 | | #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ |
1022 | | T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ |
1023 | | K512[j] + (W512[j] = *data++); \ |
1024 | | (d) += T1; \ |
1025 | | (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ |
1026 | | j++ |
1027 | | |
1028 | | #define ROUND512(a,b,c,d,e,f,g,h) \ |
1029 | | s0 = W512[(j+1)&0x0f]; \ |
1030 | | s0 = sigma0_512(s0); \ |
1031 | | s1 = W512[(j+14)&0x0f]; \ |
1032 | | s1 = sigma1_512(s1); \ |
1033 | | T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \ |
1034 | | (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ |
1035 | | (d) += T1; \ |
1036 | | (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ |
1037 | | j++ |
1038 | | |
1039 | | void sha512_Transform(const sha2_word64* state_in, const sha2_word64* data, sha2_word64* state_out) { |
1040 | | sha2_word64 a = 0, b = 0, c = 0, d = 0, e = 0, f = 0, g = 0, h = 0, s0 = 0, s1 = 0; |
1041 | | sha2_word64 T1 = 0, W512[16] = {0}; |
1042 | | int j = 0; |
1043 | | |
1044 | | /* Initialize registers with the prev. intermediate value */ |
1045 | | a = state_in[0]; |
1046 | | b = state_in[1]; |
1047 | | c = state_in[2]; |
1048 | | d = state_in[3]; |
1049 | | e = state_in[4]; |
1050 | | f = state_in[5]; |
1051 | | g = state_in[6]; |
1052 | | h = state_in[7]; |
1053 | | |
1054 | | j = 0; |
1055 | | do { |
1056 | | ROUND512_0_TO_15(a,b,c,d,e,f,g,h); |
1057 | | ROUND512_0_TO_15(h,a,b,c,d,e,f,g); |
1058 | | ROUND512_0_TO_15(g,h,a,b,c,d,e,f); |
1059 | | ROUND512_0_TO_15(f,g,h,a,b,c,d,e); |
1060 | | ROUND512_0_TO_15(e,f,g,h,a,b,c,d); |
1061 | | ROUND512_0_TO_15(d,e,f,g,h,a,b,c); |
1062 | | ROUND512_0_TO_15(c,d,e,f,g,h,a,b); |
1063 | | ROUND512_0_TO_15(b,c,d,e,f,g,h,a); |
1064 | | } while (j < 16); |
1065 | | |
1066 | | /* Now for the remaining rounds up to 79: */ |
1067 | | do { |
1068 | | ROUND512(a,b,c,d,e,f,g,h); |
1069 | | ROUND512(h,a,b,c,d,e,f,g); |
1070 | | ROUND512(g,h,a,b,c,d,e,f); |
1071 | | ROUND512(f,g,h,a,b,c,d,e); |
1072 | | ROUND512(e,f,g,h,a,b,c,d); |
1073 | | ROUND512(d,e,f,g,h,a,b,c); |
1074 | | ROUND512(c,d,e,f,g,h,a,b); |
1075 | | ROUND512(b,c,d,e,f,g,h,a); |
1076 | | } while (j < 80); |
1077 | | |
1078 | | /* Compute the current intermediate hash value */ |
1079 | | state_out[0] = state_in[0] + a; |
1080 | | state_out[1] = state_in[1] + b; |
1081 | | state_out[2] = state_in[2] + c; |
1082 | | state_out[3] = state_in[3] + d; |
1083 | | state_out[4] = state_in[4] + e; |
1084 | | state_out[5] = state_in[5] + f; |
1085 | | state_out[6] = state_in[6] + g; |
1086 | | state_out[7] = state_in[7] + h; |
1087 | | |
1088 | | /* Clean up */ |
1089 | | a = b = c = d = e = f = g = h = T1 = 0; |
1090 | | } |
1091 | | |
1092 | | #else /* SHA2_UNROLL_TRANSFORM */ |
1093 | | |
1094 | 76.8k | void sha512_Transform(const sha2_word64* state_in, const sha2_word64* data, sha2_word64* state_out) { |
1095 | 76.8k | sha2_word64 a = 0, b = 0, c = 0, d = 0, e = 0, f = 0, g = 0, h = 0, s0 = 0, s1 = 0; |
1096 | 76.8k | sha2_word64 T1 = 0, T2 = 0, W512[16] = {0}; |
1097 | 76.8k | int j = 0; |
1098 | | |
1099 | | /* Initialize registers with the prev. intermediate value */ |
1100 | 76.8k | a = state_in[0]; |
1101 | 76.8k | b = state_in[1]; |
1102 | 76.8k | c = state_in[2]; |
1103 | 76.8k | d = state_in[3]; |
1104 | 76.8k | e = state_in[4]; |
1105 | 76.8k | f = state_in[5]; |
1106 | 76.8k | g = state_in[6]; |
1107 | 76.8k | h = state_in[7]; |
1108 | | |
1109 | 76.8k | j = 0; |
1110 | 1.22M | do { |
1111 | | /* Apply the SHA-512 compression function to update a..h with copy */ |
1112 | 1.22M | T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++); |
1113 | 1.22M | T2 = Sigma0_512(a) + Maj(a, b, c); |
1114 | 1.22M | h = g; |
1115 | 1.22M | g = f; |
1116 | 1.22M | f = e; |
1117 | 1.22M | e = d + T1; |
1118 | 1.22M | d = c; |
1119 | 1.22M | c = b; |
1120 | 1.22M | b = a; |
1121 | 1.22M | a = T1 + T2; |
1122 | | |
1123 | 1.22M | j++; |
1124 | 1.22M | } while (j < 16); |
1125 | | |
1126 | 4.91M | do { |
1127 | | /* Part of the message block expansion: */ |
1128 | 4.91M | s0 = W512[(j+1)&0x0f]; |
1129 | 4.91M | s0 = sigma0_512(s0); |
1130 | 4.91M | s1 = W512[(j+14)&0x0f]; |
1131 | 4.91M | s1 = sigma1_512(s1); |
1132 | | |
1133 | | /* Apply the SHA-512 compression function to update a..h */ |
1134 | 4.91M | T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + |
1135 | 4.91M | (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); |
1136 | 4.91M | T2 = Sigma0_512(a) + Maj(a, b, c); |
1137 | 4.91M | h = g; |
1138 | 4.91M | g = f; |
1139 | 4.91M | f = e; |
1140 | 4.91M | e = d + T1; |
1141 | 4.91M | d = c; |
1142 | 4.91M | c = b; |
1143 | 4.91M | b = a; |
1144 | 4.91M | a = T1 + T2; |
1145 | | |
1146 | 4.91M | j++; |
1147 | 4.91M | } while (j < 80); |
1148 | | |
1149 | | /* Compute the current intermediate hash value */ |
1150 | 76.8k | state_out[0] = state_in[0] + a; |
1151 | 76.8k | state_out[1] = state_in[1] + b; |
1152 | 76.8k | state_out[2] = state_in[2] + c; |
1153 | 76.8k | state_out[3] = state_in[3] + d; |
1154 | 76.8k | state_out[4] = state_in[4] + e; |
1155 | 76.8k | state_out[5] = state_in[5] + f; |
1156 | 76.8k | state_out[6] = state_in[6] + g; |
1157 | 76.8k | state_out[7] = state_in[7] + h; |
1158 | | |
1159 | | /* Clean up */ |
1160 | 76.8k | a = b = c = d = e = f = g = h = T1 = T2 = 0; |
1161 | 76.8k | } |
1162 | | |
1163 | | #endif /* SHA2_UNROLL_TRANSFORM */ |
1164 | | |
1165 | 33.2k | void sha512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) { |
1166 | 33.2k | unsigned int freespace = 0, usedspace = 0; |
1167 | | |
1168 | 33.2k | if (len == 0) { |
1169 | | /* Calling with no data is valid - we do nothing */ |
1170 | 30.9k | return; |
1171 | 30.9k | } |
1172 | | |
1173 | 2.26k | usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; |
1174 | 2.26k | if (usedspace > 0) { |
1175 | | /* Calculate how much free space is available in the buffer */ |
1176 | 1.10k | freespace = SHA512_BLOCK_LENGTH - usedspace; |
1177 | | |
1178 | 1.10k | if (len >= freespace) { |
1179 | | /* Fill the buffer completely and process it */ |
1180 | 272 | MEMCPY_BCOPY(((uint8_t*)context->buffer) + usedspace, data, freespace); |
1181 | 272 | ADDINC128(context->bitcount, freespace << 3); |
1182 | 272 | len -= freespace; |
1183 | 272 | data += freespace; |
1184 | 272 | #if BYTE_ORDER == LITTLE_ENDIAN |
1185 | | /* Convert TO host byte order */ |
1186 | 4.62k | for (int j = 0; j < 16; j++) { |
1187 | 4.35k | REVERSE64(context->buffer[j],context->buffer[j]); |
1188 | 4.35k | } |
1189 | 272 | #endif |
1190 | 272 | sha512_Transform(context->state, context->buffer, context->state); |
1191 | 831 | } else { |
1192 | | /* The buffer is not yet full */ |
1193 | 831 | MEMCPY_BCOPY(((uint8_t*)context->buffer) + usedspace, data, len); |
1194 | 831 | ADDINC128(context->bitcount, len << 3); |
1195 | | /* Clean up: */ |
1196 | 831 | usedspace = freespace = 0; |
1197 | 831 | return; |
1198 | 831 | } |
1199 | 1.10k | } |
1200 | 73.6k | while (len >= SHA512_BLOCK_LENGTH) { |
1201 | | /* Process as many complete blocks as we can */ |
1202 | 72.2k | MEMCPY_BCOPY(context->buffer, data, SHA512_BLOCK_LENGTH); |
1203 | 72.2k | #if BYTE_ORDER == LITTLE_ENDIAN |
1204 | | /* Convert TO host byte order */ |
1205 | 1.22M | for (int j = 0; j < 16; j++) { |
1206 | 1.15M | REVERSE64(context->buffer[j],context->buffer[j]); |
1207 | 1.15M | } |
1208 | 72.2k | #endif |
1209 | 72.2k | sha512_Transform(context->state, context->buffer, context->state); |
1210 | 72.2k | ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); |
1211 | 72.2k | len -= SHA512_BLOCK_LENGTH; |
1212 | 72.2k | data += SHA512_BLOCK_LENGTH; |
1213 | 72.2k | } |
1214 | 1.43k | if (len > 0) { |
1215 | | /* There's left-overs, so save 'em */ |
1216 | 1.32k | MEMCPY_BCOPY(context->buffer, data, len); |
1217 | 1.32k | ADDINC128(context->bitcount, len << 3); |
1218 | 1.32k | } |
1219 | | /* Clean up: */ |
1220 | 1.43k | usedspace = freespace = 0; |
1221 | 1.43k | } |
1222 | | |
1223 | 1.06k | static void sha512_Last(SHA512_CTX* context) { |
1224 | 1.06k | unsigned int usedspace = 0; |
1225 | | |
1226 | 1.06k | usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; |
1227 | | /* Begin padding with a 1 bit: */ |
1228 | 1.06k | ((uint8_t*)context->buffer)[usedspace++] = 0x80; |
1229 | | |
1230 | 1.06k | if (usedspace > SHA512_SHORT_BLOCK_LENGTH) { |
1231 | 130 | memzero(((uint8_t*)context->buffer) + usedspace, SHA512_BLOCK_LENGTH - usedspace); |
1232 | | |
1233 | 130 | #if BYTE_ORDER == LITTLE_ENDIAN |
1234 | | /* Convert TO host byte order */ |
1235 | 2.21k | for (int j = 0; j < 16; j++) { |
1236 | 2.08k | REVERSE64(context->buffer[j],context->buffer[j]); |
1237 | 2.08k | } |
1238 | 130 | #endif |
1239 | | /* Do second-to-last transform: */ |
1240 | 130 | sha512_Transform(context->state, context->buffer, context->state); |
1241 | | |
1242 | | /* And prepare the last transform: */ |
1243 | 130 | usedspace = 0; |
1244 | 130 | } |
1245 | | /* Set-up for the last transform: */ |
1246 | 1.06k | memzero(((uint8_t*)context->buffer) + usedspace, SHA512_SHORT_BLOCK_LENGTH - usedspace); |
1247 | | |
1248 | 1.06k | #if BYTE_ORDER == LITTLE_ENDIAN |
1249 | | /* Convert TO host byte order */ |
1250 | 15.9k | for (int j = 0; j < 14; j++) { |
1251 | 14.8k | REVERSE64(context->buffer[j],context->buffer[j]); |
1252 | 14.8k | } |
1253 | 1.06k | #endif |
1254 | | /* Store the length of input data (in bits): */ |
1255 | 1.06k | context->buffer[14] = context->bitcount[1]; |
1256 | 1.06k | context->buffer[15] = context->bitcount[0]; |
1257 | | |
1258 | | /* Final transform: */ |
1259 | 1.06k | sha512_Transform(context->state, context->buffer, context->state); |
1260 | 1.06k | } |
1261 | | |
1262 | 1.06k | void sha512_Final(SHA512_CTX* context, sha2_byte digest[SHA512_DIGEST_LENGTH]) { |
1263 | | /* If no digest buffer is passed, we don't bother doing this: */ |
1264 | 1.06k | if (digest != (sha2_byte*)0) { |
1265 | 1.06k | sha512_Last(context); |
1266 | | |
1267 | | /* Save the hash data for output: */ |
1268 | 1.06k | #if BYTE_ORDER == LITTLE_ENDIAN |
1269 | | /* Convert FROM host byte order */ |
1270 | 9.55k | for (int j = 0; j < 8; j++) { |
1271 | 8.49k | REVERSE64(context->state[j],context->state[j]); |
1272 | 8.49k | } |
1273 | 1.06k | #endif |
1274 | 1.06k | MEMCPY_BCOPY(digest, context->state, SHA512_DIGEST_LENGTH); |
1275 | 1.06k | } |
1276 | | |
1277 | | /* Zero out state data */ |
1278 | 1.06k | memzero(context, sizeof(SHA512_CTX)); |
1279 | 1.06k | } |
1280 | | |
1281 | 0 | char *sha512_End(SHA512_CTX* context, char buffer[SHA512_DIGEST_STRING_LENGTH]) { |
1282 | 0 | sha2_byte digest[SHA512_DIGEST_LENGTH] = {0}, *d = digest; |
1283 | 0 | int i = 0; |
1284 | |
|
1285 | 0 | if (buffer != (char*)0) { |
1286 | 0 | sha512_Final(context, digest); |
1287 | |
|
1288 | 0 | for (i = 0; i < SHA512_DIGEST_LENGTH; i++) { |
1289 | 0 | *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; |
1290 | 0 | *buffer++ = sha2_hex_digits[*d & 0x0f]; |
1291 | 0 | d++; |
1292 | 0 | } |
1293 | 0 | *buffer = (char)0; |
1294 | 0 | } else { |
1295 | 0 | memzero(context, sizeof(SHA512_CTX)); |
1296 | 0 | } |
1297 | 0 | memzero(digest, SHA512_DIGEST_LENGTH); |
1298 | 0 | return buffer; |
1299 | 0 | } |
1300 | | |
1301 | 25 | void sha512_Raw(const sha2_byte* data, size_t len, uint8_t digest[SHA512_DIGEST_LENGTH]) { |
1302 | 25 | SHA512_CTX context = {0}; |
1303 | 25 | sha512_Init(&context); |
1304 | 25 | sha512_Update(&context, data, len); |
1305 | 25 | sha512_Final(&context, digest); |
1306 | 25 | } |
1307 | | |
1308 | 0 | void sha384_Raw(const sha2_byte* data, size_t len, uint8_t digest[SHA384_DIGEST_LENGTH]) { |
1309 | 0 | uint8_t full_digest[SHA512_DIGEST_LENGTH] = {0}; |
1310 | 0 | SHA512_CTX context = {0}; |
1311 | 0 | sha384_Init(&context); |
1312 | 0 | sha512_Update(&context, data, len); |
1313 | 0 | sha512_Final(&context, full_digest); |
1314 | 0 | memcpy(digest, full_digest, SHA384_DIGEST_LENGTH); |
1315 | 0 | memzero(full_digest, sizeof(full_digest)); |
1316 | 0 | } |
1317 | | |
1318 | 0 | char* sha512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) { |
1319 | 0 | SHA512_CTX context = {0}; |
1320 | |
|
1321 | 0 | sha512_Init(&context); |
1322 | 0 | sha512_Update(&context, data, len); |
1323 | 0 | return sha512_End(&context, digest); |
1324 | 0 | } |