Coverage Report

Created: 2024-11-21 07:03

/src/trezor-firmware/crypto/sha2.c
Line
Count
Source (jump to first uncovered line)
1
/**
2
 * Copyright (c) 2000-2001 Aaron D. Gifford
3
 * Copyright (c) 2013-2014 Pavol Rusnak
4
 * All rights reserved.
5
 *
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions
8
 * are met:
9
 * 1. Redistributions of source code must retain the above copyright
10
 *    notice, this list of conditions and the following disclaimer.
11
 * 2. Redistributions in binary form must reproduce the above copyright
12
 *    notice, this list of conditions and the following disclaimer in the
13
 *    documentation and/or other materials provided with the distribution.
14
 * 3. Neither the name of the copyright holder nor the names of contributors
15
 *    may be used to endorse or promote products derived from this software
16
 *    without specific prior written permission.
17
 *
18
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
19
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
22
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28
 * SUCH DAMAGE.
29
 */
30
31
#include <string.h>
32
#include <stdint.h>
33
#include "sha2.h"
34
#include "memzero.h"
35
#include "byte_order.h"
36
37
/*
38
 * ASSERT NOTE:
39
 * Some sanity checking code is included using assert().  On my FreeBSD
40
 * system, this additional code can be removed by compiling with NDEBUG
41
 * defined.  Check your own systems manpage on assert() to see how to
42
 * compile WITHOUT the sanity checking code on your system.
43
 *
44
 * UNROLLED TRANSFORM LOOP NOTE:
45
 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
46
 * loop version for the hash transform rounds (defined using macros
47
 * later in this file).  Either define on the command line, for example:
48
 *
49
 *   cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
50
 *
51
 * or define below:
52
 *
53
 *   #define SHA2_UNROLL_TRANSFORM
54
 *
55
 */
56
57
58
/*** SHA-256/384/512 Machine Architecture Definitions *****************/
59
/*
60
 * BYTE_ORDER NOTE:
61
 *
62
 * Please make sure that your system defines BYTE_ORDER.  If your
63
 * architecture is little-endian, make sure it also defines
64
 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
65
 * equivilent.
66
 *
67
 * If your system does not define the above, then you can do so by
68
 * hand like this:
69
 *
70
 *   #define LITTLE_ENDIAN 1234
71
 *   #define BIG_ENDIAN    4321
72
 *
73
 * And for little-endian machines, add:
74
 *
75
 *   #define BYTE_ORDER LITTLE_ENDIAN
76
 *
77
 * Or for big-endian machines:
78
 *
79
 *   #define BYTE_ORDER BIG_ENDIAN
80
 *
81
 * The FreeBSD machine this was written on defines BYTE_ORDER
82
 * appropriately by including <sys/types.h> (which in turn includes
83
 * <machine/endian.h> where the appropriate definitions are actually
84
 * made).
85
 */
86
87
#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
88
#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
89
#endif
90
91
typedef uint8_t  sha2_byte; /* Exactly 1 byte */
92
typedef uint32_t sha2_word32; /* Exactly 4 bytes */
93
typedef uint64_t sha2_word64; /* Exactly 8 bytes */
94
95
/*** SHA-256/384/512 Various Length Definitions ***********************/
96
/* NOTE: Most of these are in sha2.h */
97
72
#define   SHA1_SHORT_BLOCK_LENGTH (SHA1_BLOCK_LENGTH - 8)
98
4.88k
#define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
99
2.12k
#define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
100
101
/*
102
 * Macro for incrementally adding the unsigned 64-bit integer n to the
103
 * unsigned 128-bit integer (represented using a two-element array of
104
 * 64-bit words):
105
 */
106
74.6k
#define ADDINC128(w,n)  { \
107
74.6k
  (w)[0] += (sha2_word64)(n); \
108
74.6k
  if ((w)[0] < (n)) { \
109
0
    (w)[1]++; \
110
0
  } \
111
74.6k
}
112
113
306k
#define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l))
114
115
/*** THE SIX LOGICAL FUNCTIONS ****************************************/
116
/*
117
 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
118
 *
119
 *   NOTE:  In the original SHA-256/384/512 document, the shift-right
120
 *   function was named R and the rotate-right function was called S.
121
 *   (See: http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf on the
122
 *   web.)
123
 *
124
 *   The newer NIST FIPS 180-2 document uses a much clearer naming
125
 *   scheme, SHR for shift-right, ROTR for rotate-right, and ROTL for
126
 *   rotate-left.  (See:
127
 *   http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
128
 *   on the web.)
129
 *
130
 *   WARNING: These macros must be used cautiously, since they reference
131
 *   supplied parameters sometimes more than once, and thus could have
132
 *   unexpected side-effects if used without taking this into account.
133
 */
134
135
/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
136
27.0M
#define SHR(b,x)    ((x) >> (b))
137
/* 32-bit Rotate-right (used in SHA-256): */
138
103M
#define ROTR32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
139
/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
140
56.5M
#define ROTR64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
141
/* 32-bit Rotate-left (used in SHA-1): */
142
12.2M
#define ROTL32(b,x) (((x) << (b)) | ((x) >> (32 - (b))))
143
144
/* Two of six logical functions used in SHA-1, SHA-256, SHA-384, and SHA-512: */
145
18.7M
#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
146
18.7M
#define Maj(x,y,z)  (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
147
148
/* Function used in SHA-1: */
149
2.18M
#define Parity(x,y,z) ((x) ^ (y) ^ (z))
150
151
/* Four of six logical functions used in SHA-256: */
152
11.4M
#define Sigma0_256(x) (ROTR32(2,  (x)) ^ ROTR32(13, (x)) ^ ROTR32(22, (x)))
153
11.4M
#define Sigma1_256(x) (ROTR32(6,  (x)) ^ ROTR32(11, (x)) ^ ROTR32(25, (x)))
154
8.62M
#define sigma0_256(x) (ROTR32(7,  (x)) ^ ROTR32(18, (x)) ^ SHR(3 ,   (x)))
155
8.62M
#define sigma1_256(x) (ROTR32(17, (x)) ^ ROTR32(19, (x)) ^ SHR(10,   (x)))
156
157
/* Four of six logical functions used in SHA-384 and SHA-512: */
158
6.14M
#define Sigma0_512(x) (ROTR64(28, (x)) ^ ROTR64(34, (x)) ^ ROTR64(39, (x)))
159
6.14M
#define Sigma1_512(x) (ROTR64(14, (x)) ^ ROTR64(18, (x)) ^ ROTR64(41, (x)))
160
4.91M
#define sigma0_512(x) (ROTR64( 1, (x)) ^ ROTR64( 8, (x)) ^ SHR( 7,   (x)))
161
4.91M
#define sigma1_512(x) (ROTR64(19, (x)) ^ ROTR64(61, (x)) ^ SHR( 6,   (x)))
162
163
/*** INTERNAL FUNCTION PROTOTYPES *************************************/
164
/* NOTE: These should not be accessed directly from outside this
165
 * library -- they are intended for private internal visibility/use
166
 * only.
167
 */
168
static void sha512_Last(SHA512_CTX*);
169
170
171
/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
172
173
/* Hash constant words K for SHA-1: */
174
1.09M
#define K1_0_TO_19  0x5a827999UL
175
1.09M
#define K1_20_TO_39 0x6ed9eba1UL
176
1.09M
#define K1_40_TO_59 0x8f1bbcdcUL
177
1.09M
#define K1_60_TO_79 0xca62c1d6UL
178
179
/* Initial hash value H for SHA-1: */
180
const sha2_word32 sha1_initial_hash_value[SHA1_DIGEST_LENGTH / sizeof(sha2_word32)] = {
181
  0x67452301UL,
182
  0xefcdab89UL,
183
  0x98badcfeUL,
184
  0x10325476UL,
185
  0xc3d2e1f0UL
186
};
187
188
/* Hash constant words K for SHA-256: */
189
static const sha2_word32 K256[64] = {
190
  0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
191
  0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
192
  0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
193
  0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
194
  0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
195
  0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
196
  0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
197
  0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
198
  0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
199
  0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
200
  0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
201
  0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
202
  0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
203
  0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
204
  0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
205
  0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
206
};
207
208
/* Initial hash value H for SHA-256: */
209
const sha2_word32 sha256_initial_hash_value[8] = {
210
  0x6a09e667UL,
211
  0xbb67ae85UL,
212
  0x3c6ef372UL,
213
  0xa54ff53aUL,
214
  0x510e527fUL,
215
  0x9b05688cUL,
216
  0x1f83d9abUL,
217
  0x5be0cd19UL
218
};
219
220
/* Hash constant words K for SHA-384 and SHA-512: */
221
static const sha2_word64 K512[80] = {
222
  0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
223
  0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
224
  0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
225
  0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
226
  0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
227
  0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
228
  0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
229
  0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
230
  0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
231
  0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
232
  0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
233
  0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
234
  0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
235
  0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
236
  0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
237
  0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
238
  0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
239
  0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
240
  0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
241
  0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
242
  0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
243
  0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
244
  0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
245
  0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
246
  0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
247
  0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
248
  0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
249
  0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
250
  0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
251
  0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
252
  0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
253
  0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
254
  0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
255
  0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
256
  0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
257
  0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
258
  0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
259
  0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
260
  0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
261
  0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
262
};
263
264
/* Initial hash value H for SHA-512 */
265
const sha2_word64 sha512_initial_hash_value[8] = {
266
  0x6a09e667f3bcc908ULL,
267
  0xbb67ae8584caa73bULL,
268
  0x3c6ef372fe94f82bULL,
269
  0xa54ff53a5f1d36f1ULL,
270
  0x510e527fade682d1ULL,
271
  0x9b05688c2b3e6c1fULL,
272
  0x1f83d9abfb41bd6bULL,
273
  0x5be0cd19137e2179ULL
274
};
275
276
/* Initial hash value H for SHA-384 */
277
const sha2_word64 sha384_initial_hash_value[8] = {
278
  0xcbbb9d5dc1059ed8ULL,
279
  0x629a292a367cd507ULL,
280
  0x9159015a3070dd17ULL,
281
  0x152fecd8f70e5939ULL,
282
  0x67332667ffc00b31ULL,
283
  0x8eb44a8768581511ULL,
284
  0xdb0c2e0d64f98fa7ULL,
285
  0x47b5481dbefa4fa4ULL
286
};
287
288
/*
289
 * Constant used by SHA256/384/512_End() functions for converting the
290
 * digest to a readable hexadecimal character string:
291
 */
292
static const char *sha2_hex_digits = "0123456789abcdef";
293
294
295
/*** SHA-1: ***********************************************************/
296
36
void sha1_Init(SHA1_CTX* context) {
297
36
  MEMCPY_BCOPY(context->state, sha1_initial_hash_value, SHA1_DIGEST_LENGTH);
298
36
  memzero(context->buffer, SHA1_BLOCK_LENGTH);
299
36
  context->bitcount = 0;
300
36
}
301
302
#ifdef SHA2_UNROLL_TRANSFORM
303
304
/* Unrolled SHA-1 round macros: */
305
306
#define ROUND1_0_TO_15(a,b,c,d,e)       \
307
  (e) = ROTL32(5, (a)) + Ch((b), (c), (d)) + (e) +  \
308
       K1_0_TO_19 + ( W1[j] = *data++ );    \
309
  (b) = ROTL32(30, (b));  \
310
  j++;
311
312
#define ROUND1_16_TO_19(a,b,c,d,e)  \
313
  T1 = W1[(j+13)&0x0f] ^ W1[(j+8)&0x0f] ^ W1[(j+2)&0x0f] ^ W1[j&0x0f];  \
314
  (e) = ROTL32(5, a) + Ch(b,c,d) + e + K1_0_TO_19 + ( W1[j&0x0f] = ROTL32(1, T1) ); \
315
  (b) = ROTL32(30, b);  \
316
  j++;
317
318
#define ROUND1_20_TO_39(a,b,c,d,e)  \
319
  T1 = W1[(j+13)&0x0f] ^ W1[(j+8)&0x0f] ^ W1[(j+2)&0x0f] ^ W1[j&0x0f];  \
320
  (e) = ROTL32(5, a) + Parity(b,c,d) + e + K1_20_TO_39 + ( W1[j&0x0f] = ROTL32(1, T1) );  \
321
  (b) = ROTL32(30, b);  \
322
  j++;
323
324
#define ROUND1_40_TO_59(a,b,c,d,e)  \
325
  T1 = W1[(j+13)&0x0f] ^ W1[(j+8)&0x0f] ^ W1[(j+2)&0x0f] ^ W1[j&0x0f];  \
326
  (e) = ROTL32(5, a) + Maj(b,c,d) + e + K1_40_TO_59 + ( W1[j&0x0f] = ROTL32(1, T1) ); \
327
  (b) = ROTL32(30, b);  \
328
  j++;
329
330
#define ROUND1_60_TO_79(a,b,c,d,e)  \
331
  T1 = W1[(j+13)&0x0f] ^ W1[(j+8)&0x0f] ^ W1[(j+2)&0x0f] ^ W1[j&0x0f];  \
332
  (e) = ROTL32(5, a) + Parity(b,c,d) + e + K1_60_TO_79 + ( W1[j&0x0f] = ROTL32(1, T1) );  \
333
  (b) = ROTL32(30, b);  \
334
  j++;
335
336
void sha1_Transform(const sha2_word32* state_in, const sha2_word32* data, sha2_word32* state_out) {
337
  sha2_word32 a = 0, b = 0, c = 0, d = 0, e = 0;
338
  sha2_word32 T1 = 0;
339
  sha2_word32 W1[16] = {0};
340
  int   j = 0;
341
342
  /* Initialize registers with the prev. intermediate value */
343
  a = state_in[0];
344
  b = state_in[1];
345
  c = state_in[2];
346
  d = state_in[3];
347
  e = state_in[4];
348
349
  j = 0;
350
351
  /* Rounds 0 to 15 unrolled: */
352
  ROUND1_0_TO_15(a,b,c,d,e);
353
  ROUND1_0_TO_15(e,a,b,c,d);
354
  ROUND1_0_TO_15(d,e,a,b,c);
355
  ROUND1_0_TO_15(c,d,e,a,b);
356
  ROUND1_0_TO_15(b,c,d,e,a);
357
  ROUND1_0_TO_15(a,b,c,d,e);
358
  ROUND1_0_TO_15(e,a,b,c,d);
359
  ROUND1_0_TO_15(d,e,a,b,c);
360
  ROUND1_0_TO_15(c,d,e,a,b);
361
  ROUND1_0_TO_15(b,c,d,e,a);
362
  ROUND1_0_TO_15(a,b,c,d,e);
363
  ROUND1_0_TO_15(e,a,b,c,d);
364
  ROUND1_0_TO_15(d,e,a,b,c);
365
  ROUND1_0_TO_15(c,d,e,a,b);
366
  ROUND1_0_TO_15(b,c,d,e,a);
367
  ROUND1_0_TO_15(a,b,c,d,e);
368
369
  /* Rounds 16 to 19 unrolled: */
370
  ROUND1_16_TO_19(e,a,b,c,d);
371
  ROUND1_16_TO_19(d,e,a,b,c);
372
  ROUND1_16_TO_19(c,d,e,a,b);
373
  ROUND1_16_TO_19(b,c,d,e,a);
374
375
  /* Rounds 20 to 39 unrolled: */
376
  ROUND1_20_TO_39(a,b,c,d,e);
377
  ROUND1_20_TO_39(e,a,b,c,d);
378
  ROUND1_20_TO_39(d,e,a,b,c);
379
  ROUND1_20_TO_39(c,d,e,a,b);
380
  ROUND1_20_TO_39(b,c,d,e,a);
381
  ROUND1_20_TO_39(a,b,c,d,e);
382
  ROUND1_20_TO_39(e,a,b,c,d);
383
  ROUND1_20_TO_39(d,e,a,b,c);
384
  ROUND1_20_TO_39(c,d,e,a,b);
385
  ROUND1_20_TO_39(b,c,d,e,a);
386
  ROUND1_20_TO_39(a,b,c,d,e);
387
  ROUND1_20_TO_39(e,a,b,c,d);
388
  ROUND1_20_TO_39(d,e,a,b,c);
389
  ROUND1_20_TO_39(c,d,e,a,b);
390
  ROUND1_20_TO_39(b,c,d,e,a);
391
  ROUND1_20_TO_39(a,b,c,d,e);
392
  ROUND1_20_TO_39(e,a,b,c,d);
393
  ROUND1_20_TO_39(d,e,a,b,c);
394
  ROUND1_20_TO_39(c,d,e,a,b);
395
  ROUND1_20_TO_39(b,c,d,e,a);
396
397
  /* Rounds 40 to 59 unrolled: */
398
  ROUND1_40_TO_59(a,b,c,d,e);
399
  ROUND1_40_TO_59(e,a,b,c,d);
400
  ROUND1_40_TO_59(d,e,a,b,c);
401
  ROUND1_40_TO_59(c,d,e,a,b);
402
  ROUND1_40_TO_59(b,c,d,e,a);
403
  ROUND1_40_TO_59(a,b,c,d,e);
404
  ROUND1_40_TO_59(e,a,b,c,d);
405
  ROUND1_40_TO_59(d,e,a,b,c);
406
  ROUND1_40_TO_59(c,d,e,a,b);
407
  ROUND1_40_TO_59(b,c,d,e,a);
408
  ROUND1_40_TO_59(a,b,c,d,e);
409
  ROUND1_40_TO_59(e,a,b,c,d);
410
  ROUND1_40_TO_59(d,e,a,b,c);
411
  ROUND1_40_TO_59(c,d,e,a,b);
412
  ROUND1_40_TO_59(b,c,d,e,a);
413
  ROUND1_40_TO_59(a,b,c,d,e);
414
  ROUND1_40_TO_59(e,a,b,c,d);
415
  ROUND1_40_TO_59(d,e,a,b,c);
416
  ROUND1_40_TO_59(c,d,e,a,b);
417
  ROUND1_40_TO_59(b,c,d,e,a);
418
419
  /* Rounds 60 to 79 unrolled: */
420
  ROUND1_60_TO_79(a,b,c,d,e);
421
  ROUND1_60_TO_79(e,a,b,c,d);
422
  ROUND1_60_TO_79(d,e,a,b,c);
423
  ROUND1_60_TO_79(c,d,e,a,b);
424
  ROUND1_60_TO_79(b,c,d,e,a);
425
  ROUND1_60_TO_79(a,b,c,d,e);
426
  ROUND1_60_TO_79(e,a,b,c,d);
427
  ROUND1_60_TO_79(d,e,a,b,c);
428
  ROUND1_60_TO_79(c,d,e,a,b);
429
  ROUND1_60_TO_79(b,c,d,e,a);
430
  ROUND1_60_TO_79(a,b,c,d,e);
431
  ROUND1_60_TO_79(e,a,b,c,d);
432
  ROUND1_60_TO_79(d,e,a,b,c);
433
  ROUND1_60_TO_79(c,d,e,a,b);
434
  ROUND1_60_TO_79(b,c,d,e,a);
435
  ROUND1_60_TO_79(a,b,c,d,e);
436
  ROUND1_60_TO_79(e,a,b,c,d);
437
  ROUND1_60_TO_79(d,e,a,b,c);
438
  ROUND1_60_TO_79(c,d,e,a,b);
439
  ROUND1_60_TO_79(b,c,d,e,a);
440
441
  /* Compute the current intermediate hash value */
442
  state_out[0] = state_in[0] + a;
443
  state_out[1] = state_in[1] + b;
444
  state_out[2] = state_in[2] + c;
445
  state_out[3] = state_in[3] + d;
446
  state_out[4] = state_in[4] + e;
447
448
  /* Clean up */
449
  a = b = c = d = e = T1 = 0;
450
}
451
452
#else  /* SHA2_UNROLL_TRANSFORM */
453
454
54.5k
void sha1_Transform(const sha2_word32* state_in, const sha2_word32* data, sha2_word32* state_out) {
455
54.5k
  sha2_word32 a = 0, b = 0, c = 0, d = 0, e = 0;
456
54.5k
  sha2_word32 T1 = 0;
457
54.5k
  sha2_word32 W1[16] = {0};
458
54.5k
  int   j = 0;
459
460
  /* Initialize registers with the prev. intermediate value */
461
54.5k
  a = state_in[0];
462
54.5k
  b = state_in[1];
463
54.5k
  c = state_in[2];
464
54.5k
  d = state_in[3];
465
54.5k
  e = state_in[4];
466
54.5k
  j = 0;
467
873k
  do {
468
873k
    T1 = ROTL32(5, a) + Ch(b, c, d) + e + K1_0_TO_19 + (W1[j] = *data++);
469
873k
    e = d;
470
873k
    d = c;
471
873k
    c = ROTL32(30, b);
472
873k
    b = a;
473
873k
    a = T1;
474
873k
    j++;
475
873k
  } while (j < 16);
476
477
218k
  do {
478
218k
    T1 = W1[(j+13)&0x0f] ^ W1[(j+8)&0x0f] ^ W1[(j+2)&0x0f] ^ W1[j&0x0f];
479
218k
    T1 = ROTL32(5, a) + Ch(b,c,d) + e + K1_0_TO_19 + (W1[j&0x0f] = ROTL32(1, T1));
480
218k
    e = d;
481
218k
    d = c;
482
218k
    c = ROTL32(30, b);
483
218k
    b = a;
484
218k
    a = T1;
485
218k
    j++;
486
218k
  } while (j < 20);
487
488
1.09M
  do {
489
1.09M
    T1 = W1[(j+13)&0x0f] ^ W1[(j+8)&0x0f] ^ W1[(j+2)&0x0f] ^ W1[j&0x0f];
490
1.09M
    T1 = ROTL32(5, a) + Parity(b,c,d) + e + K1_20_TO_39 + (W1[j&0x0f] = ROTL32(1, T1));
491
1.09M
    e = d;
492
1.09M
    d = c;
493
1.09M
    c = ROTL32(30, b);
494
1.09M
    b = a;
495
1.09M
    a = T1;
496
1.09M
    j++;
497
1.09M
  } while (j < 40);
498
499
1.09M
  do {
500
1.09M
    T1 = W1[(j+13)&0x0f] ^ W1[(j+8)&0x0f] ^ W1[(j+2)&0x0f] ^ W1[j&0x0f];
501
1.09M
    T1 = ROTL32(5, a) + Maj(b,c,d) + e + K1_40_TO_59 + (W1[j&0x0f] = ROTL32(1, T1));
502
1.09M
    e = d;
503
1.09M
    d = c;
504
1.09M
    c = ROTL32(30, b);
505
1.09M
    b = a;
506
1.09M
    a = T1;
507
1.09M
    j++;
508
1.09M
  } while (j < 60);
509
510
1.09M
  do {
511
1.09M
    T1 = W1[(j+13)&0x0f] ^ W1[(j+8)&0x0f] ^ W1[(j+2)&0x0f] ^ W1[j&0x0f];
512
1.09M
    T1 = ROTL32(5, a) + Parity(b,c,d) + e + K1_60_TO_79 + (W1[j&0x0f] = ROTL32(1, T1));
513
1.09M
    e = d;
514
1.09M
    d = c;
515
1.09M
    c = ROTL32(30, b);
516
1.09M
    b = a;
517
1.09M
    a = T1;
518
1.09M
    j++;
519
1.09M
  } while (j < 80);
520
521
522
  /* Compute the current intermediate hash value */
523
54.5k
  state_out[0] = state_in[0] + a;
524
54.5k
  state_out[1] = state_in[1] + b;
525
54.5k
  state_out[2] = state_in[2] + c;
526
54.5k
  state_out[3] = state_in[3] + d;
527
54.5k
  state_out[4] = state_in[4] + e;
528
529
  /* Clean up */
530
54.5k
  a = b = c = d = e = T1 = 0;
531
54.5k
}
532
533
#endif /* SHA2_UNROLL_TRANSFORM */
534
535
21.0k
void sha1_Update(SHA1_CTX* context, const sha2_byte *data, size_t len) {
536
21.0k
  unsigned int  freespace = 0, usedspace = 0;
537
538
21.0k
  if (len == 0) {
539
    /* Calling with no data is valid - we do nothing */
540
20.6k
    return;
541
20.6k
  }
542
543
418
  usedspace = (context->bitcount >> 3) % SHA1_BLOCK_LENGTH;
544
418
  if (usedspace > 0) {
545
    /* Calculate how much free space is available in the buffer */
546
375
    freespace = SHA1_BLOCK_LENGTH - usedspace;
547
548
375
    if (len >= freespace) {
549
      /* Fill the buffer completely and process it */
550
211
      MEMCPY_BCOPY(((uint8_t*)context->buffer) + usedspace, data, freespace);
551
211
      context->bitcount += freespace << 3;
552
211
      len -= freespace;
553
211
      data += freespace;
554
211
#if BYTE_ORDER == LITTLE_ENDIAN
555
      /* Convert TO host byte order */
556
3.58k
      for (int j = 0; j < 16; j++) {
557
3.37k
        REVERSE32(context->buffer[j],context->buffer[j]);
558
3.37k
      }
559
211
#endif
560
211
      sha1_Transform(context->state, context->buffer, context->state);
561
211
    } else {
562
      /* The buffer is not yet full */
563
164
      MEMCPY_BCOPY(((uint8_t*)context->buffer) + usedspace, data, len);
564
164
      context->bitcount += len << 3;
565
      /* Clean up: */
566
164
      usedspace = freespace = 0;
567
164
      return;
568
164
    }
569
375
  }
570
54.5k
  while (len >= SHA1_BLOCK_LENGTH) {
571
    /* Process as many complete blocks as we can */
572
54.3k
    MEMCPY_BCOPY(context->buffer, data, SHA1_BLOCK_LENGTH);
573
54.3k
#if BYTE_ORDER == LITTLE_ENDIAN
574
    /* Convert TO host byte order */
575
923k
    for (int j = 0; j < 16; j++) {
576
869k
      REVERSE32(context->buffer[j],context->buffer[j]);
577
869k
    }
578
54.3k
#endif
579
54.3k
    sha1_Transform(context->state, context->buffer, context->state);
580
54.3k
    context->bitcount += SHA1_BLOCK_LENGTH << 3;
581
54.3k
    len -= SHA1_BLOCK_LENGTH;
582
54.3k
    data += SHA1_BLOCK_LENGTH;
583
54.3k
  }
584
254
  if (len > 0) {
585
    /* There's left-overs, so save 'em */
586
247
    MEMCPY_BCOPY(context->buffer, data, len);
587
247
    context->bitcount += len << 3;
588
247
  }
589
  /* Clean up: */
590
254
  usedspace = freespace = 0;
591
254
}
592
593
36
void sha1_Final(SHA1_CTX* context, sha2_byte digest[SHA1_DIGEST_LENGTH]) {
594
36
  unsigned int  usedspace = 0;
595
596
  /* If no digest buffer is passed, we don't bother doing this: */
597
36
  if (digest != (sha2_byte*)0) {
598
36
    usedspace = (context->bitcount >> 3) % SHA1_BLOCK_LENGTH;
599
    /* Begin padding with a 1 bit: */
600
36
    ((uint8_t*)context->buffer)[usedspace++] = 0x80;
601
602
36
    if (usedspace > SHA1_SHORT_BLOCK_LENGTH) {
603
6
      memzero(((uint8_t*)context->buffer) + usedspace, SHA1_BLOCK_LENGTH - usedspace);
604
605
6
#if BYTE_ORDER == LITTLE_ENDIAN
606
      /* Convert TO host byte order */
607
102
      for (int j = 0; j < 16; j++) {
608
96
        REVERSE32(context->buffer[j],context->buffer[j]);
609
96
      }
610
6
#endif
611
      /* Do second-to-last transform: */
612
6
      sha1_Transform(context->state, context->buffer, context->state);
613
614
      /* And prepare the last transform: */
615
6
      usedspace = 0;
616
6
    }
617
    /* Set-up for the last transform: */
618
36
    memzero(((uint8_t*)context->buffer) + usedspace, SHA1_SHORT_BLOCK_LENGTH - usedspace);
619
620
36
#if BYTE_ORDER == LITTLE_ENDIAN
621
    /* Convert TO host byte order */
622
540
    for (int j = 0; j < 14; j++) {
623
504
      REVERSE32(context->buffer[j],context->buffer[j]);
624
504
    }
625
36
#endif
626
    /* Set the bit count: */
627
36
    context->buffer[14] = context->bitcount >> 32;
628
36
    context->buffer[15] = context->bitcount & 0xffffffff;
629
630
    /* Final transform: */
631
36
    sha1_Transform(context->state, context->buffer, context->state);
632
633
36
#if BYTE_ORDER == LITTLE_ENDIAN
634
    /* Convert FROM host byte order */
635
216
    for (int j = 0; j < 5; j++) {
636
180
      REVERSE32(context->state[j],context->state[j]);
637
180
    }
638
36
#endif
639
36
    MEMCPY_BCOPY(digest, context->state, SHA1_DIGEST_LENGTH);
640
36
  }
641
642
  /* Clean up state data: */
643
36
  memzero(context, sizeof(SHA1_CTX));
644
36
  usedspace = 0;
645
36
}
646
647
0
char *sha1_End(SHA1_CTX* context, char buffer[SHA1_DIGEST_STRING_LENGTH]) {
648
0
  sha2_byte digest[SHA1_DIGEST_LENGTH] = {0}, *d = digest;
649
0
  int   i = 0;
650
651
0
  if (buffer != (char*)0) {
652
0
    sha1_Final(context, digest);
653
654
0
    for (i = 0; i < SHA1_DIGEST_LENGTH; i++) {
655
0
      *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
656
0
      *buffer++ = sha2_hex_digits[*d & 0x0f];
657
0
      d++;
658
0
    }
659
0
    *buffer = (char)0;
660
0
  } else {
661
0
    memzero(context, sizeof(SHA1_CTX));
662
0
  }
663
0
  memzero(digest, SHA1_DIGEST_LENGTH);
664
0
  return buffer;
665
0
}
666
667
0
void sha1_Raw(const sha2_byte* data, size_t len, uint8_t digest[SHA1_DIGEST_LENGTH]) {
668
0
  SHA1_CTX  context = {0};
669
0
  sha1_Init(&context);
670
0
  sha1_Update(&context, data, len);
671
0
  sha1_Final(&context, digest);
672
0
}
673
674
0
char* sha1_Data(const sha2_byte* data, size_t len, char digest[SHA1_DIGEST_STRING_LENGTH]) {
675
0
  SHA1_CTX  context = {0};
676
677
0
  sha1_Init(&context);
678
0
  sha1_Update(&context, data, len);
679
0
  return sha1_End(&context, digest);
680
0
}
681
682
/*** SHA-256: *********************************************************/
683
1.02k
void sha256_Init(SHA256_CTX* context) {
684
1.02k
  if (context == (SHA256_CTX*)0) {
685
0
    return;
686
0
  }
687
1.02k
  MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH);
688
1.02k
  memzero(context->buffer, SHA256_BLOCK_LENGTH);
689
1.02k
  context->bitcount = 0;
690
1.02k
}
691
692
0
void sha256_Init_ex(SHA256_CTX *context, const uint32_t state[8], uint64_t bitcount) {
693
0
  if (context == (SHA256_CTX*)0) {
694
0
    return;
695
0
  }
696
0
  MEMCPY_BCOPY(context->state, state, SHA256_DIGEST_LENGTH);
697
0
  memzero(context->buffer, SHA256_BLOCK_LENGTH);
698
0
  context->bitcount = bitcount;
699
0
}
700
701
#ifdef SHA2_UNROLL_TRANSFORM
702
703
/* Unrolled SHA-256 round macros: */
704
705
#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
706
  T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
707
       K256[j] + (W256[j] = *data++); \
708
  (d) += T1; \
709
  (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
710
  j++
711
712
#define ROUND256(a,b,c,d,e,f,g,h) \
713
  s0 = W256[(j+1)&0x0f]; \
714
  s0 = sigma0_256(s0); \
715
  s1 = W256[(j+14)&0x0f]; \
716
  s1 = sigma1_256(s1); \
717
  T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
718
       (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
719
  (d) += T1; \
720
  (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
721
  j++
722
723
void sha256_Transform(const sha2_word32* state_in, const sha2_word32* data, sha2_word32* state_out) {
724
  sha2_word32 a = 0, b = 0, c = 0, d = 0, e = 0, f = 0, g = 0, h = 0, s0 = 0, s1 = 0;
725
  sha2_word32 T1 = 0;
726
  sha2_word32 W256[16] = {0};
727
  int   j = 0;
728
729
  /* Initialize registers with the prev. intermediate value */
730
  a = state_in[0];
731
  b = state_in[1];
732
  c = state_in[2];
733
  d = state_in[3];
734
  e = state_in[4];
735
  f = state_in[5];
736
  g = state_in[6];
737
  h = state_in[7];
738
739
  j = 0;
740
  do {
741
    /* Rounds 0 to 15 (unrolled): */
742
    ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
743
    ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
744
    ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
745
    ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
746
    ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
747
    ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
748
    ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
749
    ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
750
  } while (j < 16);
751
752
  /* Now for the remaining rounds to 64: */
753
  do {
754
    ROUND256(a,b,c,d,e,f,g,h);
755
    ROUND256(h,a,b,c,d,e,f,g);
756
    ROUND256(g,h,a,b,c,d,e,f);
757
    ROUND256(f,g,h,a,b,c,d,e);
758
    ROUND256(e,f,g,h,a,b,c,d);
759
    ROUND256(d,e,f,g,h,a,b,c);
760
    ROUND256(c,d,e,f,g,h,a,b);
761
    ROUND256(b,c,d,e,f,g,h,a);
762
  } while (j < 64);
763
764
  /* Compute the current intermediate hash value */
765
  state_out[0] = state_in[0] + a;
766
  state_out[1] = state_in[1] + b;
767
  state_out[2] = state_in[2] + c;
768
  state_out[3] = state_in[3] + d;
769
  state_out[4] = state_in[4] + e;
770
  state_out[5] = state_in[5] + f;
771
  state_out[6] = state_in[6] + g;
772
  state_out[7] = state_in[7] + h;
773
774
  /* Clean up */
775
  a = b = c = d = e = f = g = h = T1 = 0;
776
}
777
778
#else /* SHA2_UNROLL_TRANSFORM */
779
780
179k
void sha256_Transform(const sha2_word32* state_in, const sha2_word32* data, sha2_word32* state_out) {
781
179k
  sha2_word32 a = 0, b = 0, c = 0, d = 0, e = 0, f = 0, g = 0, h = 0, s0 = 0, s1 = 0;
782
179k
  sha2_word32 T1 = 0, T2 = 0 , W256[16] = {0};
783
179k
  int   j = 0;
784
785
  /* Initialize registers with the prev. intermediate value */
786
179k
  a = state_in[0];
787
179k
  b = state_in[1];
788
179k
  c = state_in[2];
789
179k
  d = state_in[3];
790
179k
  e = state_in[4];
791
179k
  f = state_in[5];
792
179k
  g = state_in[6];
793
179k
  h = state_in[7];
794
795
179k
  j = 0;
796
2.87M
  do {
797
    /* Apply the SHA-256 compression function to update a..h with copy */
798
2.87M
    T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
799
2.87M
    T2 = Sigma0_256(a) + Maj(a, b, c);
800
2.87M
    h = g;
801
2.87M
    g = f;
802
2.87M
    f = e;
803
2.87M
    e = d + T1;
804
2.87M
    d = c;
805
2.87M
    c = b;
806
2.87M
    b = a;
807
2.87M
    a = T1 + T2;
808
809
2.87M
    j++;
810
2.87M
  } while (j < 16);
811
812
8.62M
  do {
813
    /* Part of the message block expansion: */
814
8.62M
    s0 = W256[(j+1)&0x0f];
815
8.62M
    s0 = sigma0_256(s0);
816
8.62M
    s1 = W256[(j+14)&0x0f];
817
8.62M
    s1 = sigma1_256(s1);
818
819
    /* Apply the SHA-256 compression function to update a..h */
820
8.62M
    T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
821
8.62M
         (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
822
8.62M
    T2 = Sigma0_256(a) + Maj(a, b, c);
823
8.62M
    h = g;
824
8.62M
    g = f;
825
8.62M
    f = e;
826
8.62M
    e = d + T1;
827
8.62M
    d = c;
828
8.62M
    c = b;
829
8.62M
    b = a;
830
8.62M
    a = T1 + T2;
831
832
8.62M
    j++;
833
8.62M
  } while (j < 64);
834
835
  /* Compute the current intermediate hash value */
836
179k
  state_out[0] = state_in[0] + a;
837
179k
  state_out[1] = state_in[1] + b;
838
179k
  state_out[2] = state_in[2] + c;
839
179k
  state_out[3] = state_in[3] + d;
840
179k
  state_out[4] = state_in[4] + e;
841
179k
  state_out[5] = state_in[5] + f;
842
179k
  state_out[6] = state_in[6] + g;
843
179k
  state_out[7] = state_in[7] + h;
844
845
  /* Clean up */
846
179k
  a = b = c = d = e = f = g = h = T1 = T2 = 0;
847
179k
}
848
849
#endif /* SHA2_UNROLL_TRANSFORM */
850
851
26.0k
void sha256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) {
852
26.0k
  unsigned int  freespace = 0, usedspace = 0;
853
854
26.0k
  if (len == 0) {
855
    /* Calling with no data is valid - we do nothing */
856
21.5k
    return;
857
21.5k
  }
858
859
4.50k
  usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
860
4.50k
  if (usedspace > 0) {
861
    /* Calculate how much free space is available in the buffer */
862
2.38k
    freespace = SHA256_BLOCK_LENGTH - usedspace;
863
864
2.38k
    if (len >= freespace) {
865
      /* Fill the buffer completely and process it */
866
731
      MEMCPY_BCOPY(((uint8_t*)context->buffer) + usedspace, data, freespace);
867
731
      context->bitcount += freespace << 3;
868
731
      len -= freespace;
869
731
      data += freespace;
870
731
#if BYTE_ORDER == LITTLE_ENDIAN
871
      /* Convert TO host byte order */
872
12.4k
      for (int j = 0; j < 16; j++) {
873
11.6k
        REVERSE32(context->buffer[j],context->buffer[j]);
874
11.6k
      }
875
731
#endif
876
731
      sha256_Transform(context->state, context->buffer, context->state);
877
1.64k
    } else {
878
      /* The buffer is not yet full */
879
1.64k
      MEMCPY_BCOPY(((uint8_t*)context->buffer) + usedspace, data, len);
880
1.64k
      context->bitcount += len << 3;
881
      /* Clean up: */
882
1.64k
      usedspace = freespace = 0;
883
1.64k
      return;
884
1.64k
    }
885
2.38k
  }
886
169k
  while (len >= SHA256_BLOCK_LENGTH) {
887
    /* Process as many complete blocks as we can */
888
166k
    MEMCPY_BCOPY(context->buffer, data, SHA256_BLOCK_LENGTH);
889
166k
#if BYTE_ORDER == LITTLE_ENDIAN
890
    /* Convert TO host byte order */
891
2.82M
    for (int j = 0; j < 16; j++) {
892
2.66M
      REVERSE32(context->buffer[j],context->buffer[j]);
893
2.66M
    }
894
166k
#endif
895
166k
    sha256_Transform(context->state, context->buffer, context->state);
896
166k
    context->bitcount += SHA256_BLOCK_LENGTH << 3;
897
166k
    len -= SHA256_BLOCK_LENGTH;
898
166k
    data += SHA256_BLOCK_LENGTH;
899
166k
  }
900
2.85k
  if (len > 0) {
901
    /* There's left-overs, so save 'em */
902
2.74k
    MEMCPY_BCOPY(context->buffer, data, len);
903
2.74k
    context->bitcount += len << 3;
904
2.74k
  }
905
  /* Clean up: */
906
2.85k
  usedspace = freespace = 0;
907
2.85k
}
908
909
2.44k
void sha256_Final(SHA256_CTX* context, sha2_byte digest[SHA256_DIGEST_LENGTH]) {
910
2.44k
  unsigned int  usedspace = 0;
911
912
  /* If no digest buffer is passed, we don't bother doing this: */
913
2.44k
  if (digest != (sha2_byte*)0) {
914
2.44k
    usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
915
    /* Begin padding with a 1 bit: */
916
2.44k
    ((uint8_t*)context->buffer)[usedspace++] = 0x80;
917
918
2.44k
    if (usedspace > SHA256_SHORT_BLOCK_LENGTH) {
919
391
      memzero(((uint8_t*)context->buffer) + usedspace, SHA256_BLOCK_LENGTH - usedspace);
920
921
391
#if BYTE_ORDER == LITTLE_ENDIAN
922
      /* Convert TO host byte order */
923
6.64k
      for (int j = 0; j < 16; j++) {
924
6.25k
        REVERSE32(context->buffer[j],context->buffer[j]);
925
6.25k
      }
926
391
#endif
927
      /* Do second-to-last transform: */
928
391
      sha256_Transform(context->state, context->buffer, context->state);
929
930
      /* And prepare the last transform: */
931
391
      usedspace = 0;
932
391
    }
933
    /* Set-up for the last transform: */
934
2.44k
    memzero(((uint8_t*)context->buffer) + usedspace, SHA256_SHORT_BLOCK_LENGTH - usedspace);
935
936
2.44k
#if BYTE_ORDER == LITTLE_ENDIAN
937
    /* Convert TO host byte order */
938
36.6k
    for (int j = 0; j < 14; j++) {
939
34.1k
      REVERSE32(context->buffer[j],context->buffer[j]);
940
34.1k
    }
941
2.44k
#endif
942
    /* Set the bit count: */
943
2.44k
    context->buffer[14] = context->bitcount >> 32;
944
2.44k
    context->buffer[15] = context->bitcount & 0xffffffff;
945
946
    /* Final transform: */
947
2.44k
    sha256_Transform(context->state, context->buffer, context->state);
948
949
2.44k
#if BYTE_ORDER == LITTLE_ENDIAN
950
    /* Convert FROM host byte order */
951
21.9k
    for (int j = 0; j < 8; j++) {
952
19.5k
      REVERSE32(context->state[j],context->state[j]);
953
19.5k
    }
954
2.44k
#endif
955
2.44k
    MEMCPY_BCOPY(digest, context->state, SHA256_DIGEST_LENGTH);
956
2.44k
  }
957
958
  /* Clean up state data: */
959
2.44k
  memzero(context, sizeof(SHA256_CTX));
960
2.44k
  usedspace = 0;
961
2.44k
}
962
963
0
char *sha256_End(SHA256_CTX* context, char buffer[SHA256_DIGEST_STRING_LENGTH]) {
964
0
  sha2_byte digest[SHA256_DIGEST_LENGTH] = {0}, *d = digest;
965
0
  int   i = 0;
966
967
0
  if (buffer != (char*)0) {
968
0
    sha256_Final(context, digest);
969
970
0
    for (i = 0; i < SHA256_DIGEST_LENGTH; i++) {
971
0
      *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
972
0
      *buffer++ = sha2_hex_digits[*d & 0x0f];
973
0
      d++;
974
0
    }
975
0
    *buffer = (char)0;
976
0
  } else {
977
0
    memzero(context, sizeof(SHA256_CTX));
978
0
  }
979
0
  memzero(digest, SHA256_DIGEST_LENGTH);
980
0
  return buffer;
981
0
}
982
983
12
void sha256_Raw(const sha2_byte* data, size_t len, uint8_t digest[SHA256_DIGEST_LENGTH]) {
984
12
  SHA256_CTX  context = {0};
985
12
  sha256_Init(&context);
986
12
  sha256_Update(&context, data, len);
987
12
  sha256_Final(&context, digest);
988
12
}
989
990
0
char* sha256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) {
991
0
  SHA256_CTX  context = {0};
992
993
0
  sha256_Init(&context);
994
0
  sha256_Update(&context, data, len);
995
0
  return sha256_End(&context, digest);
996
0
}
997
998
999
/*** SHA-512 and SHA-384: *********************************************/
1000
515
void sha512_Init(SHA512_CTX* context) {
1001
515
  if (context == (SHA512_CTX*)0) {
1002
0
    return;
1003
0
  }
1004
515
  MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH);
1005
515
  memzero(context->buffer, SHA512_BLOCK_LENGTH);
1006
515
  context->bitcount[0] = context->bitcount[1] =  0;
1007
515
}
1008
1009
0
static void sha384_Init(SHA512_CTX* context) {
1010
0
  if (context == (SHA512_CTX*)0) {
1011
0
    return;
1012
0
  }
1013
0
  MEMCPY_BCOPY(context->state, sha384_initial_hash_value, SHA512_DIGEST_LENGTH);
1014
0
  memzero(context->buffer, SHA512_BLOCK_LENGTH);
1015
0
  context->bitcount[0] = context->bitcount[1] =  0;
1016
0
}
1017
1018
#ifdef SHA2_UNROLL_TRANSFORM
1019
1020
/* Unrolled SHA-512 round macros: */
1021
#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
1022
  T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
1023
             K512[j] + (W512[j] = *data++); \
1024
  (d) += T1; \
1025
  (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
1026
  j++
1027
1028
#define ROUND512(a,b,c,d,e,f,g,h) \
1029
  s0 = W512[(j+1)&0x0f]; \
1030
  s0 = sigma0_512(s0); \
1031
  s1 = W512[(j+14)&0x0f]; \
1032
  s1 = sigma1_512(s1); \
1033
  T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
1034
             (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
1035
  (d) += T1; \
1036
  (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
1037
  j++
1038
1039
void sha512_Transform(const sha2_word64* state_in, const sha2_word64* data, sha2_word64* state_out) {
1040
  sha2_word64 a = 0, b = 0, c = 0, d = 0, e = 0, f = 0, g = 0, h = 0, s0 = 0, s1 = 0;
1041
  sha2_word64 T1 = 0, W512[16] = {0};
1042
  int   j = 0;
1043
1044
  /* Initialize registers with the prev. intermediate value */
1045
  a = state_in[0];
1046
  b = state_in[1];
1047
  c = state_in[2];
1048
  d = state_in[3];
1049
  e = state_in[4];
1050
  f = state_in[5];
1051
  g = state_in[6];
1052
  h = state_in[7];
1053
1054
  j = 0;
1055
  do {
1056
    ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
1057
    ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
1058
    ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
1059
    ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
1060
    ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
1061
    ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
1062
    ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
1063
    ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
1064
  } while (j < 16);
1065
1066
  /* Now for the remaining rounds up to 79: */
1067
  do {
1068
    ROUND512(a,b,c,d,e,f,g,h);
1069
    ROUND512(h,a,b,c,d,e,f,g);
1070
    ROUND512(g,h,a,b,c,d,e,f);
1071
    ROUND512(f,g,h,a,b,c,d,e);
1072
    ROUND512(e,f,g,h,a,b,c,d);
1073
    ROUND512(d,e,f,g,h,a,b,c);
1074
    ROUND512(c,d,e,f,g,h,a,b);
1075
    ROUND512(b,c,d,e,f,g,h,a);
1076
  } while (j < 80);
1077
1078
  /* Compute the current intermediate hash value */
1079
  state_out[0] = state_in[0] + a;
1080
  state_out[1] = state_in[1] + b;
1081
  state_out[2] = state_in[2] + c;
1082
  state_out[3] = state_in[3] + d;
1083
  state_out[4] = state_in[4] + e;
1084
  state_out[5] = state_in[5] + f;
1085
  state_out[6] = state_in[6] + g;
1086
  state_out[7] = state_in[7] + h;
1087
1088
  /* Clean up */
1089
  a = b = c = d = e = f = g = h = T1 = 0;
1090
}
1091
1092
#else /* SHA2_UNROLL_TRANSFORM */
1093
1094
76.8k
void sha512_Transform(const sha2_word64* state_in, const sha2_word64* data, sha2_word64* state_out) {
1095
76.8k
  sha2_word64 a = 0, b = 0, c = 0, d = 0, e = 0, f = 0, g = 0, h = 0, s0 = 0, s1 = 0;
1096
76.8k
  sha2_word64 T1 = 0, T2 = 0, W512[16] = {0};
1097
76.8k
  int   j = 0;
1098
1099
  /* Initialize registers with the prev. intermediate value */
1100
76.8k
  a = state_in[0];
1101
76.8k
  b = state_in[1];
1102
76.8k
  c = state_in[2];
1103
76.8k
  d = state_in[3];
1104
76.8k
  e = state_in[4];
1105
76.8k
  f = state_in[5];
1106
76.8k
  g = state_in[6];
1107
76.8k
  h = state_in[7];
1108
1109
76.8k
  j = 0;
1110
1.22M
  do {
1111
    /* Apply the SHA-512 compression function to update a..h with copy */
1112
1.22M
    T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
1113
1.22M
    T2 = Sigma0_512(a) + Maj(a, b, c);
1114
1.22M
    h = g;
1115
1.22M
    g = f;
1116
1.22M
    f = e;
1117
1.22M
    e = d + T1;
1118
1.22M
    d = c;
1119
1.22M
    c = b;
1120
1.22M
    b = a;
1121
1.22M
    a = T1 + T2;
1122
1123
1.22M
    j++;
1124
1.22M
  } while (j < 16);
1125
1126
4.91M
  do {
1127
    /* Part of the message block expansion: */
1128
4.91M
    s0 = W512[(j+1)&0x0f];
1129
4.91M
    s0 = sigma0_512(s0);
1130
4.91M
    s1 = W512[(j+14)&0x0f];
1131
4.91M
    s1 =  sigma1_512(s1);
1132
1133
    /* Apply the SHA-512 compression function to update a..h */
1134
4.91M
    T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
1135
4.91M
         (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
1136
4.91M
    T2 = Sigma0_512(a) + Maj(a, b, c);
1137
4.91M
    h = g;
1138
4.91M
    g = f;
1139
4.91M
    f = e;
1140
4.91M
    e = d + T1;
1141
4.91M
    d = c;
1142
4.91M
    c = b;
1143
4.91M
    b = a;
1144
4.91M
    a = T1 + T2;
1145
1146
4.91M
    j++;
1147
4.91M
  } while (j < 80);
1148
1149
  /* Compute the current intermediate hash value */
1150
76.8k
  state_out[0] = state_in[0] + a;
1151
76.8k
  state_out[1] = state_in[1] + b;
1152
76.8k
  state_out[2] = state_in[2] + c;
1153
76.8k
  state_out[3] = state_in[3] + d;
1154
76.8k
  state_out[4] = state_in[4] + e;
1155
76.8k
  state_out[5] = state_in[5] + f;
1156
76.8k
  state_out[6] = state_in[6] + g;
1157
76.8k
  state_out[7] = state_in[7] + h;
1158
1159
  /* Clean up */
1160
76.8k
  a = b = c = d = e = f = g = h = T1 = T2 = 0;
1161
76.8k
}
1162
1163
#endif /* SHA2_UNROLL_TRANSFORM */
1164
1165
33.2k
void sha512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) {
1166
33.2k
  unsigned int  freespace = 0, usedspace = 0;
1167
1168
33.2k
  if (len == 0) {
1169
    /* Calling with no data is valid - we do nothing */
1170
30.9k
    return;
1171
30.9k
  }
1172
1173
2.26k
  usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
1174
2.26k
  if (usedspace > 0) {
1175
    /* Calculate how much free space is available in the buffer */
1176
1.10k
    freespace = SHA512_BLOCK_LENGTH - usedspace;
1177
1178
1.10k
    if (len >= freespace) {
1179
      /* Fill the buffer completely and process it */
1180
272
      MEMCPY_BCOPY(((uint8_t*)context->buffer) + usedspace, data, freespace);
1181
272
      ADDINC128(context->bitcount, freespace << 3);
1182
272
      len -= freespace;
1183
272
      data += freespace;
1184
272
#if BYTE_ORDER == LITTLE_ENDIAN
1185
      /* Convert TO host byte order */
1186
4.62k
      for (int j = 0; j < 16; j++) {
1187
4.35k
        REVERSE64(context->buffer[j],context->buffer[j]);
1188
4.35k
      }
1189
272
#endif
1190
272
      sha512_Transform(context->state, context->buffer, context->state);
1191
831
    } else {
1192
      /* The buffer is not yet full */
1193
831
      MEMCPY_BCOPY(((uint8_t*)context->buffer) + usedspace, data, len);
1194
831
      ADDINC128(context->bitcount, len << 3);
1195
      /* Clean up: */
1196
831
      usedspace = freespace = 0;
1197
831
      return;
1198
831
    }
1199
1.10k
  }
1200
73.6k
  while (len >= SHA512_BLOCK_LENGTH) {
1201
    /* Process as many complete blocks as we can */
1202
72.2k
    MEMCPY_BCOPY(context->buffer, data, SHA512_BLOCK_LENGTH);
1203
72.2k
#if BYTE_ORDER == LITTLE_ENDIAN
1204
    /* Convert TO host byte order */
1205
1.22M
    for (int j = 0; j < 16; j++) {
1206
1.15M
      REVERSE64(context->buffer[j],context->buffer[j]);
1207
1.15M
    }
1208
72.2k
#endif
1209
72.2k
    sha512_Transform(context->state, context->buffer, context->state);
1210
72.2k
    ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
1211
72.2k
    len -= SHA512_BLOCK_LENGTH;
1212
72.2k
    data += SHA512_BLOCK_LENGTH;
1213
72.2k
  }
1214
1.43k
  if (len > 0) {
1215
    /* There's left-overs, so save 'em */
1216
1.32k
    MEMCPY_BCOPY(context->buffer, data, len);
1217
1.32k
    ADDINC128(context->bitcount, len << 3);
1218
1.32k
  }
1219
  /* Clean up: */
1220
1.43k
  usedspace = freespace = 0;
1221
1.43k
}
1222
1223
1.06k
static void sha512_Last(SHA512_CTX* context) {
1224
1.06k
  unsigned int  usedspace = 0;
1225
1226
1.06k
  usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
1227
  /* Begin padding with a 1 bit: */
1228
1.06k
  ((uint8_t*)context->buffer)[usedspace++] = 0x80;
1229
1230
1.06k
  if (usedspace > SHA512_SHORT_BLOCK_LENGTH) {
1231
130
    memzero(((uint8_t*)context->buffer) + usedspace, SHA512_BLOCK_LENGTH - usedspace);
1232
1233
130
#if BYTE_ORDER == LITTLE_ENDIAN
1234
    /* Convert TO host byte order */
1235
2.21k
    for (int j = 0; j < 16; j++) {
1236
2.08k
      REVERSE64(context->buffer[j],context->buffer[j]);
1237
2.08k
    }
1238
130
#endif
1239
    /* Do second-to-last transform: */
1240
130
    sha512_Transform(context->state, context->buffer, context->state);
1241
1242
    /* And prepare the last transform: */
1243
130
    usedspace = 0;
1244
130
  }
1245
  /* Set-up for the last transform: */
1246
1.06k
  memzero(((uint8_t*)context->buffer) + usedspace, SHA512_SHORT_BLOCK_LENGTH - usedspace);
1247
1248
1.06k
#if BYTE_ORDER == LITTLE_ENDIAN
1249
  /* Convert TO host byte order */
1250
15.9k
  for (int j = 0; j < 14; j++) {
1251
14.8k
    REVERSE64(context->buffer[j],context->buffer[j]);
1252
14.8k
  }
1253
1.06k
#endif
1254
  /* Store the length of input data (in bits): */
1255
1.06k
  context->buffer[14] = context->bitcount[1];
1256
1.06k
  context->buffer[15] = context->bitcount[0];
1257
1258
  /* Final transform: */
1259
1.06k
  sha512_Transform(context->state, context->buffer, context->state);
1260
1.06k
}
1261
1262
1.06k
void sha512_Final(SHA512_CTX* context, sha2_byte digest[SHA512_DIGEST_LENGTH]) {
1263
  /* If no digest buffer is passed, we don't bother doing this: */
1264
1.06k
  if (digest != (sha2_byte*)0) {
1265
1.06k
    sha512_Last(context);
1266
1267
    /* Save the hash data for output: */
1268
1.06k
#if BYTE_ORDER == LITTLE_ENDIAN
1269
    /* Convert FROM host byte order */
1270
9.55k
    for (int j = 0; j < 8; j++) {
1271
8.49k
      REVERSE64(context->state[j],context->state[j]);
1272
8.49k
    }
1273
1.06k
#endif
1274
1.06k
    MEMCPY_BCOPY(digest, context->state, SHA512_DIGEST_LENGTH);
1275
1.06k
  }
1276
1277
  /* Zero out state data */
1278
1.06k
  memzero(context, sizeof(SHA512_CTX));
1279
1.06k
}
1280
1281
0
char *sha512_End(SHA512_CTX* context, char buffer[SHA512_DIGEST_STRING_LENGTH]) {
1282
0
  sha2_byte digest[SHA512_DIGEST_LENGTH] = {0}, *d = digest;
1283
0
  int   i = 0;
1284
1285
0
  if (buffer != (char*)0) {
1286
0
    sha512_Final(context, digest);
1287
1288
0
    for (i = 0; i < SHA512_DIGEST_LENGTH; i++) {
1289
0
      *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
1290
0
      *buffer++ = sha2_hex_digits[*d & 0x0f];
1291
0
      d++;
1292
0
    }
1293
0
    *buffer = (char)0;
1294
0
  } else {
1295
0
    memzero(context, sizeof(SHA512_CTX));
1296
0
  }
1297
0
  memzero(digest, SHA512_DIGEST_LENGTH);
1298
0
  return buffer;
1299
0
}
1300
1301
25
void sha512_Raw(const sha2_byte* data, size_t len, uint8_t digest[SHA512_DIGEST_LENGTH]) {
1302
25
  SHA512_CTX  context = {0};
1303
25
  sha512_Init(&context);
1304
25
  sha512_Update(&context, data, len);
1305
25
  sha512_Final(&context, digest);
1306
25
}
1307
1308
0
void sha384_Raw(const sha2_byte* data, size_t len, uint8_t digest[SHA384_DIGEST_LENGTH]) {
1309
0
  uint8_t full_digest[SHA512_DIGEST_LENGTH] = {0};
1310
0
  SHA512_CTX  context = {0};
1311
0
  sha384_Init(&context);
1312
0
  sha512_Update(&context, data, len);
1313
0
  sha512_Final(&context, full_digest);
1314
0
  memcpy(digest, full_digest, SHA384_DIGEST_LENGTH);
1315
0
  memzero(full_digest, sizeof(full_digest));
1316
0
}
1317
1318
0
char* sha512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) {
1319
0
  SHA512_CTX  context = {0};
1320
1321
0
  sha512_Init(&context);
1322
0
  sha512_Update(&context, data, len);
1323
0
  return sha512_End(&context, digest);
1324
0
}