/src/openssh/openbsd-compat/sha2.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: sha2.c,v 1.28 2019/07/23 12:35:22 dtucker Exp $ */ |
2 | | |
3 | | /* |
4 | | * FILE: sha2.c |
5 | | * AUTHOR: Aaron D. Gifford <me@aarongifford.com> |
6 | | * |
7 | | * Copyright (c) 2000-2001, Aaron D. Gifford |
8 | | * All rights reserved. |
9 | | * |
10 | | * Redistribution and use in source and binary forms, with or without |
11 | | * modification, are permitted provided that the following conditions |
12 | | * are met: |
13 | | * 1. Redistributions of source code must retain the above copyright |
14 | | * notice, this list of conditions and the following disclaimer. |
15 | | * 2. Redistributions in binary form must reproduce the above copyright |
16 | | * notice, this list of conditions and the following disclaimer in the |
17 | | * documentation and/or other materials provided with the distribution. |
18 | | * 3. Neither the name of the copyright holder nor the names of contributors |
19 | | * may be used to endorse or promote products derived from this software |
20 | | * without specific prior written permission. |
21 | | * |
22 | | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND |
23 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
24 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
25 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE |
26 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
27 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
28 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
29 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
30 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
31 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
32 | | * SUCH DAMAGE. |
33 | | * |
34 | | * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $ |
35 | | */ |
36 | | |
37 | | /* OPENBSD ORIGINAL: lib/libc/hash/sha2.c */ |
38 | | |
39 | | #include "includes.h" |
40 | | |
41 | | #if !defined(HAVE_SHA256UPDATE) || !defined(HAVE_SHA384UPDATE) || \ |
42 | | !defined(HAVE_SHA512UPDATE) |
43 | | |
44 | | /* no-op out, similar to DEF_WEAK but only needed here */ |
45 | | #define MAKE_CLONE(x, y) void __ssh_compat_make_clone_##x_##y(void) |
46 | | |
47 | | #include <string.h> |
48 | | #include "openbsd-compat/sha2.h" |
49 | | |
50 | | /* |
51 | | * UNROLLED TRANSFORM LOOP NOTE: |
52 | | * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform |
53 | | * loop version for the hash transform rounds (defined using macros |
54 | | * later in this file). Either define on the command line, for example: |
55 | | * |
56 | | * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c |
57 | | * |
58 | | * or define below: |
59 | | * |
60 | | * #define SHA2_UNROLL_TRANSFORM |
61 | | * |
62 | | */ |
63 | | #ifndef SHA2_SMALL |
64 | | #if defined(__amd64__) || defined(__i386__) |
65 | | #define SHA2_UNROLL_TRANSFORM |
66 | | #endif |
67 | | #endif |
68 | | |
69 | | /*** SHA-224/256/384/512 Machine Architecture Definitions *****************/ |
70 | | /* |
71 | | * BYTE_ORDER NOTE: |
72 | | * |
73 | | * Please make sure that your system defines BYTE_ORDER. If your |
74 | | * architecture is little-endian, make sure it also defines |
75 | | * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are |
76 | | * equivalent. |
77 | | * |
78 | | * If your system does not define the above, then you can do so by |
79 | | * hand like this: |
80 | | * |
81 | | * #define LITTLE_ENDIAN 1234 |
82 | | * #define BIG_ENDIAN 4321 |
83 | | * |
84 | | * And for little-endian machines, add: |
85 | | * |
86 | | * #define BYTE_ORDER LITTLE_ENDIAN |
87 | | * |
88 | | * Or for big-endian machines: |
89 | | * |
90 | | * #define BYTE_ORDER BIG_ENDIAN |
91 | | * |
92 | | * The FreeBSD machine this was written on defines BYTE_ORDER |
93 | | * appropriately by including <sys/types.h> (which in turn includes |
94 | | * <machine/endian.h> where the appropriate definitions are actually |
95 | | * made). |
96 | | */ |
97 | | #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) |
98 | | #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN |
99 | | #endif |
100 | | |
101 | | |
102 | | /*** SHA-224/256/384/512 Various Length Definitions ***********************/ |
103 | | /* NOTE: Most of these are in sha2.h */ |
104 | | #define SHA224_SHORT_BLOCK_LENGTH (SHA224_BLOCK_LENGTH - 8) |
105 | 0 | #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) |
106 | | #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) |
107 | 0 | #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) |
108 | | |
109 | | /*** ENDIAN SPECIFIC COPY MACROS **************************************/ |
110 | 0 | #define BE_8_TO_32(dst, cp) do { \ |
111 | 0 | (dst) = (u_int32_t)(cp)[3] | ((u_int32_t)(cp)[2] << 8) | \ |
112 | 0 | ((u_int32_t)(cp)[1] << 16) | ((u_int32_t)(cp)[0] << 24); \ |
113 | 0 | } while(0) |
114 | | |
115 | 0 | #define BE_8_TO_64(dst, cp) do { \ |
116 | 0 | (dst) = (u_int64_t)(cp)[7] | ((u_int64_t)(cp)[6] << 8) | \ |
117 | 0 | ((u_int64_t)(cp)[5] << 16) | ((u_int64_t)(cp)[4] << 24) | \ |
118 | 0 | ((u_int64_t)(cp)[3] << 32) | ((u_int64_t)(cp)[2] << 40) | \ |
119 | 0 | ((u_int64_t)(cp)[1] << 48) | ((u_int64_t)(cp)[0] << 56); \ |
120 | 0 | } while (0) |
121 | | |
122 | 0 | #define BE_64_TO_8(cp, src) do { \ |
123 | 0 | (cp)[0] = (src) >> 56; \ |
124 | 0 | (cp)[1] = (src) >> 48; \ |
125 | 0 | (cp)[2] = (src) >> 40; \ |
126 | 0 | (cp)[3] = (src) >> 32; \ |
127 | 0 | (cp)[4] = (src) >> 24; \ |
128 | 0 | (cp)[5] = (src) >> 16; \ |
129 | 0 | (cp)[6] = (src) >> 8; \ |
130 | 0 | (cp)[7] = (src); \ |
131 | 0 | } while (0) |
132 | | |
133 | 0 | #define BE_32_TO_8(cp, src) do { \ |
134 | 0 | (cp)[0] = (src) >> 24; \ |
135 | 0 | (cp)[1] = (src) >> 16; \ |
136 | 0 | (cp)[2] = (src) >> 8; \ |
137 | 0 | (cp)[3] = (src); \ |
138 | 0 | } while (0) |
139 | | |
140 | | /* |
141 | | * Macro for incrementally adding the unsigned 64-bit integer n to the |
142 | | * unsigned 128-bit integer (represented using a two-element array of |
143 | | * 64-bit words): |
144 | | */ |
145 | 0 | #define ADDINC128(w,n) do { \ |
146 | 0 | (w)[0] += (u_int64_t)(n); \ |
147 | 0 | if ((w)[0] < (n)) { \ |
148 | 0 | (w)[1]++; \ |
149 | 0 | } \ |
150 | 0 | } while (0) |
151 | | |
152 | | /*** THE SIX LOGICAL FUNCTIONS ****************************************/ |
153 | | /* |
154 | | * Bit shifting and rotation (used by the six SHA-XYZ logical functions: |
155 | | * |
156 | | * NOTE: The naming of R and S appears backwards here (R is a SHIFT and |
157 | | * S is a ROTATION) because the SHA-224/256/384/512 description document |
158 | | * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this |
159 | | * same "backwards" definition. |
160 | | */ |
161 | | /* Shift-right (used in SHA-224, SHA-256, SHA-384, and SHA-512): */ |
162 | 0 | #define R(b,x) ((x) >> (b)) |
163 | | /* 32-bit Rotate-right (used in SHA-224 and SHA-256): */ |
164 | 0 | #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) |
165 | | /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ |
166 | 0 | #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) |
167 | | |
168 | | /* Two of six logical functions used in SHA-224, SHA-256, SHA-384, and SHA-512: */ |
169 | 0 | #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) |
170 | 0 | #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) |
171 | | |
172 | | /* Four of six logical functions used in SHA-224 and SHA-256: */ |
173 | 0 | #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) |
174 | 0 | #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) |
175 | 0 | #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) |
176 | 0 | #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) |
177 | | |
178 | | /* Four of six logical functions used in SHA-384 and SHA-512: */ |
179 | 0 | #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) |
180 | 0 | #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) |
181 | 0 | #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) |
182 | 0 | #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) |
183 | | |
184 | | |
185 | | /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ |
186 | | /* Hash constant words K for SHA-224 and SHA-256: */ |
187 | | static const u_int32_t K256[64] = { |
188 | | 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, |
189 | | 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, |
190 | | 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, |
191 | | 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, |
192 | | 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, |
193 | | 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, |
194 | | 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, |
195 | | 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, |
196 | | 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, |
197 | | 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, |
198 | | 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, |
199 | | 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, |
200 | | 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, |
201 | | 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, |
202 | | 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, |
203 | | 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL |
204 | | }; |
205 | | |
206 | | /* Initial hash value H for SHA-256: */ |
207 | | static const u_int32_t sha256_initial_hash_value[8] = { |
208 | | 0x6a09e667UL, |
209 | | 0xbb67ae85UL, |
210 | | 0x3c6ef372UL, |
211 | | 0xa54ff53aUL, |
212 | | 0x510e527fUL, |
213 | | 0x9b05688cUL, |
214 | | 0x1f83d9abUL, |
215 | | 0x5be0cd19UL |
216 | | }; |
217 | | |
218 | | /* Hash constant words K for SHA-384 and SHA-512: */ |
219 | | static const u_int64_t K512[80] = { |
220 | | 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, |
221 | | 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, |
222 | | 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, |
223 | | 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, |
224 | | 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, |
225 | | 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, |
226 | | 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, |
227 | | 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, |
228 | | 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, |
229 | | 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, |
230 | | 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, |
231 | | 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, |
232 | | 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, |
233 | | 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, |
234 | | 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, |
235 | | 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, |
236 | | 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, |
237 | | 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, |
238 | | 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, |
239 | | 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, |
240 | | 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, |
241 | | 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, |
242 | | 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, |
243 | | 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, |
244 | | 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, |
245 | | 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, |
246 | | 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, |
247 | | 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, |
248 | | 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, |
249 | | 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, |
250 | | 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, |
251 | | 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, |
252 | | 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, |
253 | | 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, |
254 | | 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, |
255 | | 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, |
256 | | 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, |
257 | | 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, |
258 | | 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, |
259 | | 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL |
260 | | }; |
261 | | |
262 | | /* Initial hash value H for SHA-512 */ |
263 | | static const u_int64_t sha512_initial_hash_value[8] = { |
264 | | 0x6a09e667f3bcc908ULL, |
265 | | 0xbb67ae8584caa73bULL, |
266 | | 0x3c6ef372fe94f82bULL, |
267 | | 0xa54ff53a5f1d36f1ULL, |
268 | | 0x510e527fade682d1ULL, |
269 | | 0x9b05688c2b3e6c1fULL, |
270 | | 0x1f83d9abfb41bd6bULL, |
271 | | 0x5be0cd19137e2179ULL |
272 | | }; |
273 | | |
274 | | #if !defined(SHA2_SMALL) |
275 | | #if 0 |
276 | | /* Initial hash value H for SHA-224: */ |
277 | | static const u_int32_t sha224_initial_hash_value[8] = { |
278 | | 0xc1059ed8UL, |
279 | | 0x367cd507UL, |
280 | | 0x3070dd17UL, |
281 | | 0xf70e5939UL, |
282 | | 0xffc00b31UL, |
283 | | 0x68581511UL, |
284 | | 0x64f98fa7UL, |
285 | | 0xbefa4fa4UL |
286 | | }; |
287 | | #endif /* 0 */ |
288 | | |
289 | | /* Initial hash value H for SHA-384 */ |
290 | | static const u_int64_t sha384_initial_hash_value[8] = { |
291 | | 0xcbbb9d5dc1059ed8ULL, |
292 | | 0x629a292a367cd507ULL, |
293 | | 0x9159015a3070dd17ULL, |
294 | | 0x152fecd8f70e5939ULL, |
295 | | 0x67332667ffc00b31ULL, |
296 | | 0x8eb44a8768581511ULL, |
297 | | 0xdb0c2e0d64f98fa7ULL, |
298 | | 0x47b5481dbefa4fa4ULL |
299 | | }; |
300 | | |
301 | | #if 0 |
302 | | /* Initial hash value H for SHA-512-256 */ |
303 | | static const u_int64_t sha512_256_initial_hash_value[8] = { |
304 | | 0x22312194fc2bf72cULL, |
305 | | 0x9f555fa3c84c64c2ULL, |
306 | | 0x2393b86b6f53b151ULL, |
307 | | 0x963877195940eabdULL, |
308 | | 0x96283ee2a88effe3ULL, |
309 | | 0xbe5e1e2553863992ULL, |
310 | | 0x2b0199fc2c85b8aaULL, |
311 | | 0x0eb72ddc81c52ca2ULL |
312 | | }; |
313 | | |
314 | | /*** SHA-224: *********************************************************/ |
315 | | void |
316 | | SHA224Init(SHA2_CTX *context) |
317 | | { |
318 | | memcpy(context->state.st32, sha224_initial_hash_value, |
319 | | sizeof(sha224_initial_hash_value)); |
320 | | memset(context->buffer, 0, sizeof(context->buffer)); |
321 | | context->bitcount[0] = 0; |
322 | | } |
323 | | DEF_WEAK(SHA224Init); |
324 | | |
325 | | MAKE_CLONE(SHA224Transform, SHA256Transform); |
326 | | MAKE_CLONE(SHA224Update, SHA256Update); |
327 | | MAKE_CLONE(SHA224Pad, SHA256Pad); |
328 | | DEF_WEAK(SHA224Transform); |
329 | | DEF_WEAK(SHA224Update); |
330 | | DEF_WEAK(SHA224Pad); |
331 | | |
332 | | void |
333 | | SHA224Final(u_int8_t digest[SHA224_DIGEST_LENGTH], SHA2_CTX *context) |
334 | | { |
335 | | SHA224Pad(context); |
336 | | |
337 | | #if BYTE_ORDER == LITTLE_ENDIAN |
338 | | int i; |
339 | | |
340 | | /* Convert TO host byte order */ |
341 | | for (i = 0; i < 7; i++) |
342 | | BE_32_TO_8(digest + i * 4, context->state.st32[i]); |
343 | | #else |
344 | | memcpy(digest, context->state.st32, SHA224_DIGEST_LENGTH); |
345 | | #endif |
346 | | explicit_bzero(context, sizeof(*context)); |
347 | | } |
348 | | DEF_WEAK(SHA224Final); |
349 | | #endif /* !defined(SHA2_SMALL) */ |
350 | | #endif /* 0 */ |
351 | | |
352 | | /*** SHA-256: *********************************************************/ |
353 | | void |
354 | | SHA256Init(SHA2_CTX *context) |
355 | 0 | { |
356 | 0 | memcpy(context->state.st32, sha256_initial_hash_value, |
357 | 0 | sizeof(sha256_initial_hash_value)); |
358 | 0 | memset(context->buffer, 0, sizeof(context->buffer)); |
359 | 0 | context->bitcount[0] = 0; |
360 | 0 | } |
361 | | DEF_WEAK(SHA256Init); |
362 | | |
363 | | #ifdef SHA2_UNROLL_TRANSFORM |
364 | | |
365 | | /* Unrolled SHA-256 round macros: */ |
366 | | |
367 | 0 | #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \ |
368 | 0 | BE_8_TO_32(W256[j], data); \ |
369 | 0 | data += 4; \ |
370 | 0 | T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \ |
371 | 0 | (d) += T1; \ |
372 | 0 | (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \ |
373 | 0 | j++; \ |
374 | 0 | } while(0) |
375 | | |
376 | 0 | #define ROUND256(a,b,c,d,e,f,g,h) do { \ |
377 | 0 | s0 = W256[(j+1)&0x0f]; \ |
378 | 0 | s0 = sigma0_256(s0); \ |
379 | 0 | s1 = W256[(j+14)&0x0f]; \ |
380 | 0 | s1 = sigma1_256(s1); \ |
381 | 0 | T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \ |
382 | 0 | (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ |
383 | 0 | (d) += T1; \ |
384 | 0 | (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \ |
385 | 0 | j++; \ |
386 | 0 | } while(0) |
387 | | |
388 | | void |
389 | | SHA256Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH]) |
390 | 0 | { |
391 | 0 | u_int32_t a, b, c, d, e, f, g, h, s0, s1; |
392 | 0 | u_int32_t T1, W256[16]; |
393 | 0 | int j; |
394 | | |
395 | | /* Initialize registers with the prev. intermediate value */ |
396 | 0 | a = state[0]; |
397 | 0 | b = state[1]; |
398 | 0 | c = state[2]; |
399 | 0 | d = state[3]; |
400 | 0 | e = state[4]; |
401 | 0 | f = state[5]; |
402 | 0 | g = state[6]; |
403 | 0 | h = state[7]; |
404 | |
|
405 | 0 | j = 0; |
406 | 0 | do { |
407 | | /* Rounds 0 to 15 (unrolled): */ |
408 | 0 | ROUND256_0_TO_15(a,b,c,d,e,f,g,h); |
409 | 0 | ROUND256_0_TO_15(h,a,b,c,d,e,f,g); |
410 | 0 | ROUND256_0_TO_15(g,h,a,b,c,d,e,f); |
411 | 0 | ROUND256_0_TO_15(f,g,h,a,b,c,d,e); |
412 | 0 | ROUND256_0_TO_15(e,f,g,h,a,b,c,d); |
413 | 0 | ROUND256_0_TO_15(d,e,f,g,h,a,b,c); |
414 | 0 | ROUND256_0_TO_15(c,d,e,f,g,h,a,b); |
415 | 0 | ROUND256_0_TO_15(b,c,d,e,f,g,h,a); |
416 | 0 | } while (j < 16); |
417 | | |
418 | | /* Now for the remaining rounds up to 63: */ |
419 | 0 | do { |
420 | 0 | ROUND256(a,b,c,d,e,f,g,h); |
421 | 0 | ROUND256(h,a,b,c,d,e,f,g); |
422 | 0 | ROUND256(g,h,a,b,c,d,e,f); |
423 | 0 | ROUND256(f,g,h,a,b,c,d,e); |
424 | 0 | ROUND256(e,f,g,h,a,b,c,d); |
425 | 0 | ROUND256(d,e,f,g,h,a,b,c); |
426 | 0 | ROUND256(c,d,e,f,g,h,a,b); |
427 | 0 | ROUND256(b,c,d,e,f,g,h,a); |
428 | 0 | } while (j < 64); |
429 | | |
430 | | /* Compute the current intermediate hash value */ |
431 | 0 | state[0] += a; |
432 | 0 | state[1] += b; |
433 | 0 | state[2] += c; |
434 | 0 | state[3] += d; |
435 | 0 | state[4] += e; |
436 | 0 | state[5] += f; |
437 | 0 | state[6] += g; |
438 | 0 | state[7] += h; |
439 | | |
440 | | /* Clean up */ |
441 | 0 | a = b = c = d = e = f = g = h = T1 = 0; |
442 | 0 | } |
443 | | |
444 | | #else /* SHA2_UNROLL_TRANSFORM */ |
445 | | |
446 | | void |
447 | | SHA256Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH]) |
448 | | { |
449 | | u_int32_t a, b, c, d, e, f, g, h, s0, s1; |
450 | | u_int32_t T1, T2, W256[16]; |
451 | | int j; |
452 | | |
453 | | /* Initialize registers with the prev. intermediate value */ |
454 | | a = state[0]; |
455 | | b = state[1]; |
456 | | c = state[2]; |
457 | | d = state[3]; |
458 | | e = state[4]; |
459 | | f = state[5]; |
460 | | g = state[6]; |
461 | | h = state[7]; |
462 | | |
463 | | j = 0; |
464 | | do { |
465 | | BE_8_TO_32(W256[j], data); |
466 | | data += 4; |
467 | | /* Apply the SHA-256 compression function to update a..h */ |
468 | | T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; |
469 | | T2 = Sigma0_256(a) + Maj(a, b, c); |
470 | | h = g; |
471 | | g = f; |
472 | | f = e; |
473 | | e = d + T1; |
474 | | d = c; |
475 | | c = b; |
476 | | b = a; |
477 | | a = T1 + T2; |
478 | | |
479 | | j++; |
480 | | } while (j < 16); |
481 | | |
482 | | do { |
483 | | /* Part of the message block expansion: */ |
484 | | s0 = W256[(j+1)&0x0f]; |
485 | | s0 = sigma0_256(s0); |
486 | | s1 = W256[(j+14)&0x0f]; |
487 | | s1 = sigma1_256(s1); |
488 | | |
489 | | /* Apply the SHA-256 compression function to update a..h */ |
490 | | T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + |
491 | | (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); |
492 | | T2 = Sigma0_256(a) + Maj(a, b, c); |
493 | | h = g; |
494 | | g = f; |
495 | | f = e; |
496 | | e = d + T1; |
497 | | d = c; |
498 | | c = b; |
499 | | b = a; |
500 | | a = T1 + T2; |
501 | | |
502 | | j++; |
503 | | } while (j < 64); |
504 | | |
505 | | /* Compute the current intermediate hash value */ |
506 | | state[0] += a; |
507 | | state[1] += b; |
508 | | state[2] += c; |
509 | | state[3] += d; |
510 | | state[4] += e; |
511 | | state[5] += f; |
512 | | state[6] += g; |
513 | | state[7] += h; |
514 | | |
515 | | /* Clean up */ |
516 | | a = b = c = d = e = f = g = h = T1 = T2 = 0; |
517 | | } |
518 | | |
519 | | #endif /* SHA2_UNROLL_TRANSFORM */ |
520 | | DEF_WEAK(SHA256Transform); |
521 | | |
522 | | void |
523 | | SHA256Update(SHA2_CTX *context, const u_int8_t *data, size_t len) |
524 | 0 | { |
525 | 0 | u_int64_t freespace, usedspace; |
526 | | |
527 | | /* Calling with no data is valid (we do nothing) */ |
528 | 0 | if (len == 0) |
529 | 0 | return; |
530 | | |
531 | 0 | usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH; |
532 | 0 | if (usedspace > 0) { |
533 | | /* Calculate how much free space is available in the buffer */ |
534 | 0 | freespace = SHA256_BLOCK_LENGTH - usedspace; |
535 | |
|
536 | 0 | if (len >= freespace) { |
537 | | /* Fill the buffer completely and process it */ |
538 | 0 | memcpy(&context->buffer[usedspace], data, freespace); |
539 | 0 | context->bitcount[0] += freespace << 3; |
540 | 0 | len -= freespace; |
541 | 0 | data += freespace; |
542 | 0 | SHA256Transform(context->state.st32, context->buffer); |
543 | 0 | } else { |
544 | | /* The buffer is not yet full */ |
545 | 0 | memcpy(&context->buffer[usedspace], data, len); |
546 | 0 | context->bitcount[0] += (u_int64_t)len << 3; |
547 | | /* Clean up: */ |
548 | 0 | usedspace = freespace = 0; |
549 | 0 | return; |
550 | 0 | } |
551 | 0 | } |
552 | 0 | while (len >= SHA256_BLOCK_LENGTH) { |
553 | | /* Process as many complete blocks as we can */ |
554 | 0 | SHA256Transform(context->state.st32, data); |
555 | 0 | context->bitcount[0] += SHA256_BLOCK_LENGTH << 3; |
556 | 0 | len -= SHA256_BLOCK_LENGTH; |
557 | 0 | data += SHA256_BLOCK_LENGTH; |
558 | 0 | } |
559 | 0 | if (len > 0) { |
560 | | /* There's left-overs, so save 'em */ |
561 | 0 | memcpy(context->buffer, data, len); |
562 | 0 | context->bitcount[0] += len << 3; |
563 | 0 | } |
564 | | /* Clean up: */ |
565 | 0 | usedspace = freespace = 0; |
566 | 0 | } |
567 | | DEF_WEAK(SHA256Update); |
568 | | |
569 | | void |
570 | | SHA256Pad(SHA2_CTX *context) |
571 | 0 | { |
572 | 0 | unsigned int usedspace; |
573 | |
|
574 | 0 | usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH; |
575 | 0 | if (usedspace > 0) { |
576 | | /* Begin padding with a 1 bit: */ |
577 | 0 | context->buffer[usedspace++] = 0x80; |
578 | |
|
579 | 0 | if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { |
580 | | /* Set-up for the last transform: */ |
581 | 0 | memset(&context->buffer[usedspace], 0, |
582 | 0 | SHA256_SHORT_BLOCK_LENGTH - usedspace); |
583 | 0 | } else { |
584 | 0 | if (usedspace < SHA256_BLOCK_LENGTH) { |
585 | 0 | memset(&context->buffer[usedspace], 0, |
586 | 0 | SHA256_BLOCK_LENGTH - usedspace); |
587 | 0 | } |
588 | | /* Do second-to-last transform: */ |
589 | 0 | SHA256Transform(context->state.st32, context->buffer); |
590 | | |
591 | | /* Prepare for last transform: */ |
592 | 0 | memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH); |
593 | 0 | } |
594 | 0 | } else { |
595 | | /* Set-up for the last transform: */ |
596 | 0 | memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH); |
597 | | |
598 | | /* Begin padding with a 1 bit: */ |
599 | 0 | *context->buffer = 0x80; |
600 | 0 | } |
601 | | /* Store the length of input data (in bits) in big endian format: */ |
602 | 0 | BE_64_TO_8(&context->buffer[SHA256_SHORT_BLOCK_LENGTH], |
603 | 0 | context->bitcount[0]); |
604 | | |
605 | | /* Final transform: */ |
606 | 0 | SHA256Transform(context->state.st32, context->buffer); |
607 | | |
608 | | /* Clean up: */ |
609 | 0 | usedspace = 0; |
610 | 0 | } |
611 | | DEF_WEAK(SHA256Pad); |
612 | | |
613 | | void |
614 | | SHA256Final(u_int8_t digest[SHA256_DIGEST_LENGTH], SHA2_CTX *context) |
615 | 0 | { |
616 | 0 | SHA256Pad(context); |
617 | |
|
618 | 0 | #if BYTE_ORDER == LITTLE_ENDIAN |
619 | 0 | int i; |
620 | | |
621 | | /* Convert TO host byte order */ |
622 | 0 | for (i = 0; i < 8; i++) |
623 | 0 | BE_32_TO_8(digest + i * 4, context->state.st32[i]); |
624 | | #else |
625 | | memcpy(digest, context->state.st32, SHA256_DIGEST_LENGTH); |
626 | | #endif |
627 | 0 | explicit_bzero(context, sizeof(*context)); |
628 | 0 | } |
629 | | DEF_WEAK(SHA256Final); |
630 | | |
631 | | |
632 | | /*** SHA-512: *********************************************************/ |
633 | | void |
634 | | SHA512Init(SHA2_CTX *context) |
635 | 0 | { |
636 | 0 | memcpy(context->state.st64, sha512_initial_hash_value, |
637 | 0 | sizeof(sha512_initial_hash_value)); |
638 | 0 | memset(context->buffer, 0, sizeof(context->buffer)); |
639 | 0 | context->bitcount[0] = context->bitcount[1] = 0; |
640 | 0 | } |
641 | | DEF_WEAK(SHA512Init); |
642 | | |
643 | | #ifdef SHA2_UNROLL_TRANSFORM |
644 | | |
645 | | /* Unrolled SHA-512 round macros: */ |
646 | | |
647 | 0 | #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \ |
648 | 0 | BE_8_TO_64(W512[j], data); \ |
649 | 0 | data += 8; \ |
650 | 0 | T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \ |
651 | 0 | (d) += T1; \ |
652 | 0 | (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \ |
653 | 0 | j++; \ |
654 | 0 | } while(0) |
655 | | |
656 | | |
657 | 0 | #define ROUND512(a,b,c,d,e,f,g,h) do { \ |
658 | 0 | s0 = W512[(j+1)&0x0f]; \ |
659 | 0 | s0 = sigma0_512(s0); \ |
660 | 0 | s1 = W512[(j+14)&0x0f]; \ |
661 | 0 | s1 = sigma1_512(s1); \ |
662 | 0 | T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \ |
663 | 0 | (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ |
664 | 0 | (d) += T1; \ |
665 | 0 | (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \ |
666 | 0 | j++; \ |
667 | 0 | } while(0) |
668 | | |
669 | | void |
670 | | SHA512Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH]) |
671 | 0 | { |
672 | 0 | u_int64_t a, b, c, d, e, f, g, h, s0, s1; |
673 | 0 | u_int64_t T1, W512[16]; |
674 | 0 | int j; |
675 | | |
676 | | /* Initialize registers with the prev. intermediate value */ |
677 | 0 | a = state[0]; |
678 | 0 | b = state[1]; |
679 | 0 | c = state[2]; |
680 | 0 | d = state[3]; |
681 | 0 | e = state[4]; |
682 | 0 | f = state[5]; |
683 | 0 | g = state[6]; |
684 | 0 | h = state[7]; |
685 | |
|
686 | 0 | j = 0; |
687 | 0 | do { |
688 | | /* Rounds 0 to 15 (unrolled): */ |
689 | 0 | ROUND512_0_TO_15(a,b,c,d,e,f,g,h); |
690 | 0 | ROUND512_0_TO_15(h,a,b,c,d,e,f,g); |
691 | 0 | ROUND512_0_TO_15(g,h,a,b,c,d,e,f); |
692 | 0 | ROUND512_0_TO_15(f,g,h,a,b,c,d,e); |
693 | 0 | ROUND512_0_TO_15(e,f,g,h,a,b,c,d); |
694 | 0 | ROUND512_0_TO_15(d,e,f,g,h,a,b,c); |
695 | 0 | ROUND512_0_TO_15(c,d,e,f,g,h,a,b); |
696 | 0 | ROUND512_0_TO_15(b,c,d,e,f,g,h,a); |
697 | 0 | } while (j < 16); |
698 | | |
699 | | /* Now for the remaining rounds up to 79: */ |
700 | 0 | do { |
701 | 0 | ROUND512(a,b,c,d,e,f,g,h); |
702 | 0 | ROUND512(h,a,b,c,d,e,f,g); |
703 | 0 | ROUND512(g,h,a,b,c,d,e,f); |
704 | 0 | ROUND512(f,g,h,a,b,c,d,e); |
705 | 0 | ROUND512(e,f,g,h,a,b,c,d); |
706 | 0 | ROUND512(d,e,f,g,h,a,b,c); |
707 | 0 | ROUND512(c,d,e,f,g,h,a,b); |
708 | 0 | ROUND512(b,c,d,e,f,g,h,a); |
709 | 0 | } while (j < 80); |
710 | | |
711 | | /* Compute the current intermediate hash value */ |
712 | 0 | state[0] += a; |
713 | 0 | state[1] += b; |
714 | 0 | state[2] += c; |
715 | 0 | state[3] += d; |
716 | 0 | state[4] += e; |
717 | 0 | state[5] += f; |
718 | 0 | state[6] += g; |
719 | 0 | state[7] += h; |
720 | | |
721 | | /* Clean up */ |
722 | 0 | a = b = c = d = e = f = g = h = T1 = 0; |
723 | 0 | } |
724 | | |
725 | | #else /* SHA2_UNROLL_TRANSFORM */ |
726 | | |
727 | | void |
728 | | SHA512Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH]) |
729 | | { |
730 | | u_int64_t a, b, c, d, e, f, g, h, s0, s1; |
731 | | u_int64_t T1, T2, W512[16]; |
732 | | int j; |
733 | | |
734 | | /* Initialize registers with the prev. intermediate value */ |
735 | | a = state[0]; |
736 | | b = state[1]; |
737 | | c = state[2]; |
738 | | d = state[3]; |
739 | | e = state[4]; |
740 | | f = state[5]; |
741 | | g = state[6]; |
742 | | h = state[7]; |
743 | | |
744 | | j = 0; |
745 | | do { |
746 | | BE_8_TO_64(W512[j], data); |
747 | | data += 8; |
748 | | /* Apply the SHA-512 compression function to update a..h */ |
749 | | T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; |
750 | | T2 = Sigma0_512(a) + Maj(a, b, c); |
751 | | h = g; |
752 | | g = f; |
753 | | f = e; |
754 | | e = d + T1; |
755 | | d = c; |
756 | | c = b; |
757 | | b = a; |
758 | | a = T1 + T2; |
759 | | |
760 | | j++; |
761 | | } while (j < 16); |
762 | | |
763 | | do { |
764 | | /* Part of the message block expansion: */ |
765 | | s0 = W512[(j+1)&0x0f]; |
766 | | s0 = sigma0_512(s0); |
767 | | s1 = W512[(j+14)&0x0f]; |
768 | | s1 = sigma1_512(s1); |
769 | | |
770 | | /* Apply the SHA-512 compression function to update a..h */ |
771 | | T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + |
772 | | (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); |
773 | | T2 = Sigma0_512(a) + Maj(a, b, c); |
774 | | h = g; |
775 | | g = f; |
776 | | f = e; |
777 | | e = d + T1; |
778 | | d = c; |
779 | | c = b; |
780 | | b = a; |
781 | | a = T1 + T2; |
782 | | |
783 | | j++; |
784 | | } while (j < 80); |
785 | | |
786 | | /* Compute the current intermediate hash value */ |
787 | | state[0] += a; |
788 | | state[1] += b; |
789 | | state[2] += c; |
790 | | state[3] += d; |
791 | | state[4] += e; |
792 | | state[5] += f; |
793 | | state[6] += g; |
794 | | state[7] += h; |
795 | | |
796 | | /* Clean up */ |
797 | | a = b = c = d = e = f = g = h = T1 = T2 = 0; |
798 | | } |
799 | | |
800 | | #endif /* SHA2_UNROLL_TRANSFORM */ |
801 | | DEF_WEAK(SHA512Transform); |
802 | | |
803 | | void |
804 | | SHA512Update(SHA2_CTX *context, const u_int8_t *data, size_t len) |
805 | 0 | { |
806 | 0 | size_t freespace, usedspace; |
807 | | |
808 | | /* Calling with no data is valid (we do nothing) */ |
809 | 0 | if (len == 0) |
810 | 0 | return; |
811 | | |
812 | 0 | usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; |
813 | 0 | if (usedspace > 0) { |
814 | | /* Calculate how much free space is available in the buffer */ |
815 | 0 | freespace = SHA512_BLOCK_LENGTH - usedspace; |
816 | |
|
817 | 0 | if (len >= freespace) { |
818 | | /* Fill the buffer completely and process it */ |
819 | 0 | memcpy(&context->buffer[usedspace], data, freespace); |
820 | 0 | ADDINC128(context->bitcount, freespace << 3); |
821 | 0 | len -= freespace; |
822 | 0 | data += freespace; |
823 | 0 | SHA512Transform(context->state.st64, context->buffer); |
824 | 0 | } else { |
825 | | /* The buffer is not yet full */ |
826 | 0 | memcpy(&context->buffer[usedspace], data, len); |
827 | 0 | ADDINC128(context->bitcount, len << 3); |
828 | | /* Clean up: */ |
829 | 0 | usedspace = freespace = 0; |
830 | 0 | return; |
831 | 0 | } |
832 | 0 | } |
833 | 0 | while (len >= SHA512_BLOCK_LENGTH) { |
834 | | /* Process as many complete blocks as we can */ |
835 | 0 | SHA512Transform(context->state.st64, data); |
836 | 0 | ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); |
837 | 0 | len -= SHA512_BLOCK_LENGTH; |
838 | 0 | data += SHA512_BLOCK_LENGTH; |
839 | 0 | } |
840 | 0 | if (len > 0) { |
841 | | /* There's left-overs, so save 'em */ |
842 | 0 | memcpy(context->buffer, data, len); |
843 | 0 | ADDINC128(context->bitcount, len << 3); |
844 | 0 | } |
845 | | /* Clean up: */ |
846 | 0 | usedspace = freespace = 0; |
847 | 0 | } |
848 | | DEF_WEAK(SHA512Update); |
849 | | |
850 | | void |
851 | | SHA512Pad(SHA2_CTX *context) |
852 | 0 | { |
853 | 0 | unsigned int usedspace; |
854 | |
|
855 | 0 | usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; |
856 | 0 | if (usedspace > 0) { |
857 | | /* Begin padding with a 1 bit: */ |
858 | 0 | context->buffer[usedspace++] = 0x80; |
859 | |
|
860 | 0 | if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { |
861 | | /* Set-up for the last transform: */ |
862 | 0 | memset(&context->buffer[usedspace], 0, SHA512_SHORT_BLOCK_LENGTH - usedspace); |
863 | 0 | } else { |
864 | 0 | if (usedspace < SHA512_BLOCK_LENGTH) { |
865 | 0 | memset(&context->buffer[usedspace], 0, SHA512_BLOCK_LENGTH - usedspace); |
866 | 0 | } |
867 | | /* Do second-to-last transform: */ |
868 | 0 | SHA512Transform(context->state.st64, context->buffer); |
869 | | |
870 | | /* And set-up for the last transform: */ |
871 | 0 | memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2); |
872 | 0 | } |
873 | 0 | } else { |
874 | | /* Prepare for final transform: */ |
875 | 0 | memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH); |
876 | | |
877 | | /* Begin padding with a 1 bit: */ |
878 | 0 | *context->buffer = 0x80; |
879 | 0 | } |
880 | | /* Store the length of input data (in bits) in big endian format: */ |
881 | 0 | BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH], |
882 | 0 | context->bitcount[1]); |
883 | 0 | BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8], |
884 | 0 | context->bitcount[0]); |
885 | | |
886 | | /* Final transform: */ |
887 | 0 | SHA512Transform(context->state.st64, context->buffer); |
888 | | |
889 | | /* Clean up: */ |
890 | 0 | usedspace = 0; |
891 | 0 | } |
892 | | DEF_WEAK(SHA512Pad); |
893 | | |
894 | | void |
895 | | SHA512Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA2_CTX *context) |
896 | 0 | { |
897 | 0 | SHA512Pad(context); |
898 | |
|
899 | 0 | #if BYTE_ORDER == LITTLE_ENDIAN |
900 | 0 | int i; |
901 | | |
902 | | /* Convert TO host byte order */ |
903 | 0 | for (i = 0; i < 8; i++) |
904 | 0 | BE_64_TO_8(digest + i * 8, context->state.st64[i]); |
905 | | #else |
906 | | memcpy(digest, context->state.st64, SHA512_DIGEST_LENGTH); |
907 | | #endif |
908 | 0 | explicit_bzero(context, sizeof(*context)); |
909 | 0 | } |
910 | | DEF_WEAK(SHA512Final); |
911 | | |
912 | | #if !defined(SHA2_SMALL) |
913 | | |
914 | | /*** SHA-384: *********************************************************/ |
915 | | void |
916 | | SHA384Init(SHA2_CTX *context) |
917 | 0 | { |
918 | 0 | memcpy(context->state.st64, sha384_initial_hash_value, |
919 | 0 | sizeof(sha384_initial_hash_value)); |
920 | 0 | memset(context->buffer, 0, sizeof(context->buffer)); |
921 | 0 | context->bitcount[0] = context->bitcount[1] = 0; |
922 | 0 | } |
923 | | DEF_WEAK(SHA384Init); |
924 | | |
925 | | MAKE_CLONE(SHA384Transform, SHA512Transform); |
926 | | MAKE_CLONE(SHA384Update, SHA512Update); |
927 | | MAKE_CLONE(SHA384Pad, SHA512Pad); |
928 | | DEF_WEAK(SHA384Transform); |
929 | | DEF_WEAK(SHA384Update); |
930 | | DEF_WEAK(SHA384Pad); |
931 | | |
932 | | /* Equivalent of MAKE_CLONE (which is a no-op) for SHA384 funcs */ |
933 | | void |
934 | | SHA384Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH]) |
935 | 0 | { |
936 | 0 | SHA512Transform(state, data); |
937 | 0 | } |
938 | | |
939 | | void |
940 | | SHA384Update(SHA2_CTX *context, const u_int8_t *data, size_t len) |
941 | 0 | { |
942 | 0 | SHA512Update(context, data, len); |
943 | 0 | } |
944 | | |
945 | | void |
946 | | SHA384Pad(SHA2_CTX *context) |
947 | 0 | { |
948 | 0 | SHA512Pad(context); |
949 | 0 | } |
950 | | |
951 | | void |
952 | | SHA384Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA2_CTX *context) |
953 | 0 | { |
954 | 0 | SHA384Pad(context); |
955 | |
|
956 | 0 | #if BYTE_ORDER == LITTLE_ENDIAN |
957 | 0 | int i; |
958 | | |
959 | | /* Convert TO host byte order */ |
960 | 0 | for (i = 0; i < 6; i++) |
961 | 0 | BE_64_TO_8(digest + i * 8, context->state.st64[i]); |
962 | | #else |
963 | | memcpy(digest, context->state.st64, SHA384_DIGEST_LENGTH); |
964 | | #endif |
965 | | /* Zero out state data */ |
966 | 0 | explicit_bzero(context, sizeof(*context)); |
967 | 0 | } |
968 | | DEF_WEAK(SHA384Final); |
969 | | |
970 | | #if 0 |
971 | | /*** SHA-512/256: *********************************************************/ |
972 | | void |
973 | | SHA512_256Init(SHA2_CTX *context) |
974 | | { |
975 | | memcpy(context->state.st64, sha512_256_initial_hash_value, |
976 | | sizeof(sha512_256_initial_hash_value)); |
977 | | memset(context->buffer, 0, sizeof(context->buffer)); |
978 | | context->bitcount[0] = context->bitcount[1] = 0; |
979 | | } |
980 | | DEF_WEAK(SHA512_256Init); |
981 | | |
982 | | MAKE_CLONE(SHA512_256Transform, SHA512Transform); |
983 | | MAKE_CLONE(SHA512_256Update, SHA512Update); |
984 | | MAKE_CLONE(SHA512_256Pad, SHA512Pad); |
985 | | DEF_WEAK(SHA512_256Transform); |
986 | | DEF_WEAK(SHA512_256Update); |
987 | | DEF_WEAK(SHA512_256Pad); |
988 | | |
989 | | void |
990 | | SHA512_256Final(u_int8_t digest[SHA512_256_DIGEST_LENGTH], SHA2_CTX *context) |
991 | | { |
992 | | SHA512_256Pad(context); |
993 | | |
994 | | #if BYTE_ORDER == LITTLE_ENDIAN |
995 | | int i; |
996 | | |
997 | | /* Convert TO host byte order */ |
998 | | for (i = 0; i < 4; i++) |
999 | | BE_64_TO_8(digest + i * 8, context->state.st64[i]); |
1000 | | #else |
1001 | | memcpy(digest, context->state.st64, SHA512_256_DIGEST_LENGTH); |
1002 | | #endif |
1003 | | /* Zero out state data */ |
1004 | | explicit_bzero(context, sizeof(*context)); |
1005 | | } |
1006 | | DEF_WEAK(SHA512_256Final); |
1007 | | #endif /* !defined(SHA2_SMALL) */ |
1008 | | #endif /* 0 */ |
1009 | | |
1010 | | #endif /* HAVE_SHA{256,384,512}UPDATE */ |