ext/digest/sha2/sha2.c

DEFINITIONS

1. SHA256_Init
2. SHA256_Transform
3. SHA256_Transform
4. SHA256_Update
5. SHA256_Final
6. SHA256_Equal
7. SHA512_Init
8. SHA512_Transform
9. SHA512_Transform
10. SHA512_Update
11. SHA512_Last
12. SHA512_Final
13. SHA512_Equal
14. SHA384_Init
15. SHA384_Update
16. SHA384_Final
17. SHA384_Equal

   1  /*
   2   * sha2.c
   3   *
   4   * Version 1.0.0beta1
   5   *
   6   * Written by Aaron D. Gifford <me@aarongifford.com>
   7   *
   8   * Copyright 2000 Aaron D. Gifford.  All rights reserved.
   9   *
  10   * Redistribution and use in source and binary forms, with or without
  11   * modification, are permitted provided that the following conditions
  12   * are met:
  13   * 1. Redistributions of source code must retain the above copyright
  14   *    notice, this list of conditions and the following disclaimer.
  15   * 2. Redistributions in binary form must reproduce the above copyright
  16   *    notice, this list of conditions and the following disclaimer in the
  17   *    documentation and/or other materials provided with the distribution.
  18   * 3. Neither the name of the copyright holder nor the names of contributors
  19   *    may be used to endorse or promote products derived from this software
  20   *    without specific prior written permission.
  21   * 
  22   * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
  23   * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  24   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  25   * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
  26   * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  27   * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  28   * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  29   * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  30   * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  31   * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  32   * SUCH DAMAGE.
  33   *
  34   */
  35  
  36  /* $RoughId: sha2.c,v 1.3 2002/02/26 22:03:36 knu Exp $ */
  37  /* $Id: sha2.c,v 1.2 2002/02/26 22:07:36 knu Exp $ */
  38  
  39  #include <stdio.h>
  40  #include <string.h>     /* memcpy()/memset() or bcopy()/bzero() */
  41  #include <assert.h>     /* assert() */
  42  #include "sha2.h"
  43  
  44  /*
  45   * ASSERT NOTE:
  46   * Some sanity checking code is included using assert().  On my FreeBSD
  47   * system, this additional code can be removed by compiling with NDEBUG
  48   * defined.  Check your own systems manpage on assert() to see how to
  49   * compile WITHOUT the sanity checking code on your system.
  50   *
  51   * UNROLLED TRANSFORM LOOP NOTE:
  52   * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
  53   * loop version for the hash transform rounds (defined using macros
  54   * later in this file).  Either define on the command line, for example:
  55   *
  56   *   cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
  57   *
  58   * or define below:
  59   *
  60   *   #define SHA2_UNROLL_TRANSFORM
  61   *
  62   */
  63  
  64  
  65  /*** SHA-256/384/512 Machine Architecture Definitions *****************/
  66  typedef uint8_t  sha2_byte;     /* Exactly 1 byte */
  67  typedef uint32_t sha2_word32;   /* Exactly 4 bytes */
  68  typedef uint64_t sha2_word64;   /* Exactly 8 bytes */
  69  
  70  #if defined(__GNUC__)
  71  #define ULL(number)     number##ULL
  72  #else
  73  #define ULL(number)     (uint64_t)(number)
  74  #endif
  75  
  76  
  77  /*** SHA-256/384/512 Various Length Definitions ***********************/
  78  /* NOTE: Most of these are in sha2.h */
  79  #define SHA256_SHORT_BLOCK_LENGTH       (SHA256_BLOCK_LENGTH - 8)
  80  #define SHA384_SHORT_BLOCK_LENGTH       (SHA384_BLOCK_LENGTH - 16)
  81  #define SHA512_SHORT_BLOCK_LENGTH       (SHA512_BLOCK_LENGTH - 16)
  82  
  83  
  84  /*** ENDIAN REVERSAL MACROS *******************************************/
  85  #ifndef WORDS_BIGENDIAN
  86  #define REVERSE32(w,x)  { \
  87          sha2_word32 tmp = (w); \
  88          tmp = (tmp >> 16) | (tmp << 16); \
  89          (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
  90  }
  91  #define REVERSE64(w,x)  { \
  92          sha2_word64 tmp = (w); \
  93          tmp = (tmp >> 32) | (tmp << 32); \
  94          tmp = ((tmp & ULL(0xff00ff00ff00ff00)) >> 8) | \
  95                ((tmp & ULL(0x00ff00ff00ff00ff)) << 8); \
  96          (x) = ((tmp & ULL(0xffff0000ffff0000)) >> 16) | \
  97                ((tmp & ULL(0x0000ffff0000ffff)) << 16); \
  98  }
  99  #endif
 100  
 101  /*
 102   * Macro for incrementally adding the unsigned 64-bit integer n to the
 103   * unsigned 128-bit integer (represented using a two-element array of
 104   * 64-bit words):
 105   */
 106  #define ADDINC128(w,n)  { \
 107          (w)[0] += (sha2_word64)(n); \
 108          if ((w)[0] < (n)) { \
 109                  (w)[1]++; \
 110          } \
 111  }
 112  
 113  /*
 114   * Macros for copying blocks of memory and for zeroing out ranges
 115   * of memory.  Using these macros makes it easy to switch from
 116   * using memset()/memcpy() and using bzero()/bcopy().
 117   *
 118   * Please define either SHA2_USE_MEMSET_MEMCPY or define
 119   * SHA2_USE_BZERO_BCOPY depending on which function set you
 120   * choose to use:
 121   */
 122  #if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY)
 123  /* Default to memset()/memcpy() if no option is specified */
 124  #define SHA2_USE_MEMSET_MEMCPY  1
 125  #endif
 126  #if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY)
 127  /* Abort with an error if BOTH options are defined */
 128  #error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both!
 129  #endif
 130  
 131  #ifdef SHA2_USE_MEMSET_MEMCPY
 132  #define MEMSET_BZERO(p,l)       memset((p), 0, (l))
 133  #define MEMCPY_BCOPY(d,s,l)     memcpy((d), (s), (l))
 134  #endif
 135  #ifdef SHA2_USE_BZERO_BCOPY
 136  #define MEMSET_BZERO(p,l)       bzero((p), (l))
 137  #define MEMCPY_BCOPY(d,s,l)     bcopy((s), (d), (l))
 138  #endif
 139  
 140  
 141  /*** THE SIX LOGICAL FUNCTIONS ****************************************/
 142  /*
 143   * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
 144   *
 145   *   NOTE:  The naming of R and S appears backwards here (R is a SHIFT and
 146   *   S is a ROTATION) because the SHA-256/384/512 description document
 147   *   (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
 148   *   same "backwards" definition.
 149   */
 150  /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
 151  #define R(b,x)          ((x) >> (b))
 152  /* 32-bit Rotate-right (used in SHA-256): */
 153  #define S32(b,x)        (((x) >> (b)) | ((x) << (32 - (b))))
 154  /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
 155  #define S64(b,x)        (((x) >> (b)) | ((x) << (64 - (b))))
 156  
 157  /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
 158  #define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
 159  #define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
 160  
 161  /* Four of six logical functions used in SHA-256: */
 162  #define Sigma0_256(x)   (S32(2,  (x)) ^ S32(13, (x)) ^ S32(22, (x)))
 163  #define Sigma1_256(x)   (S32(6,  (x)) ^ S32(11, (x)) ^ S32(25, (x)))
 164  #define sigma0_256(x)   (S32(7,  (x)) ^ S32(18, (x)) ^ R(3 ,   (x)))
 165  #define sigma1_256(x)   (S32(17, (x)) ^ S32(19, (x)) ^ R(10,   (x)))
 166  
 167  /* Four of six logical functions used in SHA-384 and SHA-512: */
 168  #define Sigma0_512(x)   (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
 169  #define Sigma1_512(x)   (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
 170  #define sigma0_512(x)   (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7,   (x)))
 171  #define sigma1_512(x)   (S64(19, (x)) ^ S64(61, (x)) ^ R( 6,   (x)))
 172  
 173  /*** INTERNAL FUNCTION PROTOTYPES *************************************/
 174  /* NOTE: These should not be accessed directly from outside this
 175   * library -- they are intended for private internal visibility/use
 176   * only.
 177   */
 178  void SHA512_Last(SHA512_CTX*);
 179  void SHA256_Transform(SHA256_CTX*, const sha2_word32*);
 180  void SHA512_Transform(SHA512_CTX*, const sha2_word64*);
 181  
 182  
 183  /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
 184  /* Hash constant words K for SHA-256: */
 185  const static sha2_word32 K256[64] = {
 186          0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
 187          0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
 188          0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
 189          0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
 190          0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
 191          0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
 192          0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
 193          0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
 194          0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
 195          0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
 196          0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
 197          0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
 198          0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
 199          0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
 200          0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
 201          0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
 202  };
 203  
 204  /* Initial hash value H for SHA-256: */
 205  const static sha2_word32 sha256_initial_hash_value[8] = {
 206          0x6a09e667UL,
 207          0xbb67ae85UL,
 208          0x3c6ef372UL,
 209          0xa54ff53aUL,
 210          0x510e527fUL,
 211          0x9b05688cUL,
 212          0x1f83d9abUL,
 213          0x5be0cd19UL
 214  };
 215  
 216  /* Hash constant words K for SHA-384 and SHA-512: */
 217  const static sha2_word64 K512[80] = {
ULL(0x428a2f98d728ae22), ULL(0x7137449123ef65cd),
ULL(0xb5c0fbcfec4d3b2f), ULL(0xe9b5dba58189dbbc),
ULL(0x3956c25bf348b538), ULL(0x59f111f1b605d019),
ULL(0x923f82a4af194f9b), ULL(0xab1c5ed5da6d8118),
ULL(0xd807aa98a3030242), ULL(0x12835b0145706fbe),
ULL(0x243185be4ee4b28c), ULL(0x550c7dc3d5ffb4e2),
ULL(0x72be5d74f27b896f), ULL(0x80deb1fe3b1696b1),
ULL(0x9bdc06a725c71235), ULL(0xc19bf174cf692694),
ULL(0xe49b69c19ef14ad2), ULL(0xefbe4786384f25e3),
ULL(0x0fc19dc68b8cd5b5), ULL(0x240ca1cc77ac9c65),
ULL(0x2de92c6f592b0275), ULL(0x4a7484aa6ea6e483),
ULL(0x5cb0a9dcbd41fbd4), ULL(0x76f988da831153b5),
ULL(0x983e5152ee66dfab), ULL(0xa831c66d2db43210),
ULL(0xb00327c898fb213f), ULL(0xbf597fc7beef0ee4),
ULL(0xc6e00bf33da88fc2), ULL(0xd5a79147930aa725),
ULL(0x06ca6351e003826f), ULL(0x142929670a0e6e70),
ULL(0x27b70a8546d22ffc), ULL(0x2e1b21385c26c926),
ULL(0x4d2c6dfc5ac42aed), ULL(0x53380d139d95b3df),
ULL(0x650a73548baf63de), ULL(0x766a0abb3c77b2a8),
ULL(0x81c2c92e47edaee6), ULL(0x92722c851482353b),
ULL(0xa2bfe8a14cf10364), ULL(0xa81a664bbc423001),
ULL(0xc24b8b70d0f89791), ULL(0xc76c51a30654be30),
ULL(0xd192e819d6ef5218), ULL(0xd69906245565a910),
ULL(0xf40e35855771202a), ULL(0x106aa07032bbd1b8),
ULL(0x19a4c116b8d2d0c8), ULL(0x1e376c085141ab53),
ULL(0x2748774cdf8eeb99), ULL(0x34b0bcb5e19b48a8),
ULL(0x391c0cb3c5c95a63), ULL(0x4ed8aa4ae3418acb),
ULL(0x5b9cca4f7763e373), ULL(0x682e6ff3d6b2b8a3),
ULL(0x748f82ee5defb2fc), ULL(0x78a5636f43172f60),
ULL(0x84c87814a1f0ab72), ULL(0x8cc702081a6439ec),
ULL(0x90befffa23631e28), ULL(0xa4506cebde82bde9),
ULL(0xbef9a3f7b2c67915), ULL(0xc67178f2e372532b),
ULL(0xca273eceea26619c), ULL(0xd186b8c721c0c207),
ULL(0xeada7dd6cde0eb1e), ULL(0xf57d4f7fee6ed178),
ULL(0x06f067aa72176fba), ULL(0x0a637dc5a2c898a6),
ULL(0x113f9804bef90dae), ULL(0x1b710b35131c471b),
ULL(0x28db77f523047d84), ULL(0x32caab7b40c72493),
ULL(0x3c9ebe0a15c9bebc), ULL(0x431d67c49c100d4c),
ULL(0x4cc5d4becb3e42b6), ULL(0x597f299cfc657e2a),
ULL(0x5fcb6fab3ad6faec), ULL(0x6c44198c4a475817)
 258  };
 259  
 260  /* Initial hash value H for SHA-384 */
 261  const static sha2_word64 sha384_initial_hash_value[8] = {
ULL(0xcbbb9d5dc1059ed8),
ULL(0x629a292a367cd507),
ULL(0x9159015a3070dd17),
ULL(0x152fecd8f70e5939),
ULL(0x67332667ffc00b31),
ULL(0x8eb44a8768581511),
ULL(0xdb0c2e0d64f98fa7),
ULL(0x47b5481dbefa4fa4)
 270  };
 271  
 272  /* Initial hash value H for SHA-512 */
 273  const static sha2_word64 sha512_initial_hash_value[8] = {
ULL(0x6a09e667f3bcc908),
ULL(0xbb67ae8584caa73b),
ULL(0x3c6ef372fe94f82b),
ULL(0xa54ff53a5f1d36f1),
ULL(0x510e527fade682d1),
ULL(0x9b05688c2b3e6c1f),
ULL(0x1f83d9abfb41bd6b),
ULL(0x5be0cd19137e2179)
 282  };
 283  
 284  
 285  /*** SHA-256: *********************************************************/
 286  void SHA256_Init(SHA256_CTX* context) {
 287          if (context == (SHA256_CTX*)0) {
 288                  return;
 289          }
MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH);
MEMSET_BZERO(context->buffer, SHA256_BLOCK_LENGTH);
 292          context->bitcount = 0;
 293  }
 294  
 295  #ifdef SHA2_UNROLL_TRANSFORM
 296  
 297  /* Unrolled SHA-256 round macros: */
 298  
 299  #ifndef WORDS_BIGENDIAN
 300  
 301  #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h)       \
REVERSE32(*data++, W256[j]); \
 303          T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
 304               K256[j] + W256[j]; \
 305          (d) += T1; \
 306          (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
 307          j++
 308  
 309  
 310  #else
 311  
 312  #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h)       \
 313          T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
 314               K256[j] + (W256[j] = *data++); \
 315          (d) += T1; \
 316          (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
 317          j++
 318  
 319  #endif
 320  
 321  #define ROUND256(a,b,c,d,e,f,g,h)       \
 322          s0 = W256[(j+1)&0x0f]; \
 323          s0 = sigma0_256(s0); \
 324          s1 = W256[(j+14)&0x0f]; \
 325          s1 = sigma1_256(s1); \
 326          T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
 327               (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
 328          (d) += T1; \
 329          (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
 330          j++
 331  
 332  void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
 333          sha2_word32     a, b, c, d, e, f, g, h, s0, s1;
 334          sha2_word32     T1, *W256;
 335          int             j;
 336  
 337          W256 = (sha2_word32*)context->buffer;
 338  
 339          /* Initialize registers with the prev. intermediate value */
 340          a = context->state[0];
 341          b = context->state[1];
 342          c = context->state[2];
 343          d = context->state[3];
 344          e = context->state[4];
 345          f = context->state[5];
 346          g = context->state[6];
 347          h = context->state[7];
 348  
 349          j = 0;
 350          do {
 351                  /* Rounds 0 to 15 (unrolled): */
ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
 360          } while (j < 16);
 361  
 362          /* Now for the remaining rounds to 64: */
 363          do {
ROUND256(a,b,c,d,e,f,g,h);
ROUND256(h,a,b,c,d,e,f,g);
ROUND256(g,h,a,b,c,d,e,f);
ROUND256(f,g,h,a,b,c,d,e);
ROUND256(e,f,g,h,a,b,c,d);
ROUND256(d,e,f,g,h,a,b,c);
ROUND256(c,d,e,f,g,h,a,b);
ROUND256(b,c,d,e,f,g,h,a);
 372          } while (j < 64);
 373  
 374          /* Compute the current intermediate hash value */
 375          context->state[0] += a;
 376          context->state[1] += b;
 377          context->state[2] += c;
 378          context->state[3] += d;
 379          context->state[4] += e;
 380          context->state[5] += f;
 381          context->state[6] += g;
 382          context->state[7] += h;
 383  
 384          /* Clean up */
 385          a = b = c = d = e = f = g = h = T1 = 0;
 386  }
 387  
 388  #else /* SHA2_UNROLL_TRANSFORM */
 389  
 390  void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
 391          sha2_word32     a, b, c, d, e, f, g, h, s0, s1;
 392          sha2_word32     T1, T2, *W256;
 393          int             j;
 394  
 395          W256 = (sha2_word32*)context->buffer;
 396  
 397          /* Initialize registers with the prev. intermediate value */
 398          a = context->state[0];
 399          b = context->state[1];
 400          c = context->state[2];
 401          d = context->state[3];
 402          e = context->state[4];
 403          f = context->state[5];
 404          g = context->state[6];
 405          h = context->state[7];
 406  
 407          j = 0;
 408          do {
 409  #ifndef WORDS_BIGENDIAN
 410                  /* Copy data while converting to host byte order */
REVERSE32(*data++,W256[j]);
 412                  /* Apply the SHA-256 compression function to update a..h */
 413                  T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
 414  #else
 415                  /* Apply the SHA-256 compression function to update a..h with copy */
 416                  T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
 417  #endif
 418                  T2 = Sigma0_256(a) + Maj(a, b, c);
 419                  h = g;
 420                  g = f;
 421                  f = e;
 422                  e = d + T1;
 423                  d = c;
 424                  c = b;
 425                  b = a;
 426                  a = T1 + T2;
 427  
 428                  j++;
 429          } while (j < 16);
 430  
 431          do {
 432                  /* Part of the message block expansion: */
 433                  s0 = W256[(j+1)&0x0f];
 434                  s0 = sigma0_256(s0);
 435                  s1 = W256[(j+14)&0x0f]; 
 436                  s1 = sigma1_256(s1);
 437  
 438                  /* Apply the SHA-256 compression function to update a..h */
 439                  T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 
 440                       (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
 441                  T2 = Sigma0_256(a) + Maj(a, b, c);
 442                  h = g;
 443                  g = f;
 444                  f = e;
 445                  e = d + T1;
 446                  d = c;
 447                  c = b;
 448                  b = a;
 449                  a = T1 + T2;
 450  
 451                  j++;
 452          } while (j < 64);
 453  
 454          /* Compute the current intermediate hash value */
 455          context->state[0] += a;
 456          context->state[1] += b;
 457          context->state[2] += c;
 458          context->state[3] += d;
 459          context->state[4] += e;
 460          context->state[5] += f;
 461          context->state[6] += g;
 462          context->state[7] += h;
 463  
 464          /* Clean up */
 465          a = b = c = d = e = f = g = h = T1 = T2 = 0;
 466  }
 467  
 468  #endif /* SHA2_UNROLL_TRANSFORM */
 469  
 470  void SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) {
 471          unsigned int    freespace, usedspace;
 472  
 473          if (len == 0) {
 474                  /* Calling with no data is valid - we do nothing */
 475                  return;
 476          }
 477  
 478          /* Sanity check: */
 479          assert(context != NULL && data != NULL);
 480  
 481          usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
 482          if (usedspace > 0) {
 483                  /* Calculate how much free space is available in the buffer */
 484                  freespace = SHA256_BLOCK_LENGTH - usedspace;
 485  
 486                  if (len >= freespace) {
 487                          /* Fill the buffer completely and process it */
MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
 489                          context->bitcount += freespace << 3;
 490                          len -= freespace;
 491                          data += freespace;
SHA256_Transform(context, (sha2_word32*)context->buffer);
 493                  } else {
 494                          /* The buffer is not yet full */
MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
 496                          context->bitcount += len << 3;
 497                          /* Clean up: */
 498                          usedspace = freespace = 0;
 499                          return;
 500                  }
 501          }
 502          while (len >= SHA256_BLOCK_LENGTH) {
 503                  /* Process as many complete blocks as we can */
SHA256_Transform(context, (const sha2_word32*)data);
 505                  context->bitcount += SHA256_BLOCK_LENGTH << 3;
 506                  len -= SHA256_BLOCK_LENGTH;
 507                  data += SHA256_BLOCK_LENGTH;
 508          }
 509          if (len > 0) {
 510                  /* There's left-overs, so save 'em */
MEMCPY_BCOPY(context->buffer, data, len);
 512                  context->bitcount += len << 3;
 513          }
 514          /* Clean up: */
 515          usedspace = freespace = 0;
 516  }
 517  
 518  void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
 519          sha2_word32     *d = (sha2_word32*)digest;
 520          unsigned int    usedspace;
 521  
 522          /* Sanity check: */
 523          assert(context != NULL);
 524  
 525          /* If no digest buffer is passed, we don't bother doing this: */
 526          if (digest != (sha2_byte*)0) {
 527                  usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
 528  #ifndef WORDS_BIGENDIAN
 529                  /* Convert FROM host byte order */
REVERSE64(context->bitcount,context->bitcount);
 531  #endif
 532                  if (usedspace > 0) {
 533                          /* Begin padding with a 1 bit: */
 534                          context->buffer[usedspace++] = 0x80;
 535  
 536                          if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
 537                                  /* Set-up for the last transform: */
MEMSET_BZERO(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
 539                          } else {
 540                                  if (usedspace < SHA256_BLOCK_LENGTH) {
MEMSET_BZERO(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
 542                                  }
 543                                  /* Do second-to-last transform: */
SHA256_Transform(context, (sha2_word32*)context->buffer);
 545  
 546                                  /* And set-up for the last transform: */
MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
 548                          }
 549                  } else {
 550                          /* Set-up for the last transform: */
MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
 552  
 553                          /* Begin padding with a 1 bit: */
 554                          *context->buffer = 0x80;
 555                  }
 556                  /* Set the bit count: */
 557                  *(sha2_word64*)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
 558  
 559                  /* Final transform: */
SHA256_Transform(context, (sha2_word32*)context->buffer);
 561  
 562  #ifndef WORDS_BIGENDIAN
 563                  {
 564                          /* Convert TO host byte order */
 565                          int     j;
 566                          for (j = 0; j < 8; j++) {
REVERSE32(context->state[j],context->state[j]);
 568                                  *d++ = context->state[j];
 569                          }
 570                  }
 571  #else
MEMCPY_BCOPY(d, context->state, SHA256_DIGEST_LENGTH);
 573  #endif
 574          }
 575  
 576          /* Clean up state data: */
MEMSET_BZERO(context, sizeof(SHA256_CTX));
 578          usedspace = 0;
 579  }
 580  
 581  int SHA256_Equal(SHA256_CTX* pctx1, SHA256_CTX* pctx2) {
 582          return pctx1->bitcount == pctx2->bitcount
 583                  && memcmp(pctx1->state, pctx2->state, sizeof(pctx1->state)) == 0
 584                  && memcmp(pctx1->buffer, pctx2->buffer, sizeof(pctx1->buffer)) == 0;
 585  }
 586  
 587  /*** SHA-512: *********************************************************/
 588  void SHA512_Init(SHA512_CTX* context) {
 589          if (context == (SHA512_CTX*)0) {
 590                  return;
 591          }
MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH);
MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH);
 594          context->bitcount[0] = context->bitcount[1] =  0;
 595  }
 596  
 597  #ifdef SHA2_UNROLL_TRANSFORM
 598  
 599  /* Unrolled SHA-512 round macros: */
 600  #ifndef WORDS_BIGENDIAN
 601  
 602  #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h)       \
REVERSE64(*data++, W512[j]); \
 604          T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
 605               K512[j] + W512[j]; \
 606          (d) += T1, \
 607          (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
 608          j++
 609  
 610  
 611  #else
 612  
 613  #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h)       \
 614          T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
 615               K512[j] + (W512[j] = *data++); \
 616          (d) += T1; \
 617          (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
 618          j++
 619  
 620  #endif
 621  
 622  #define ROUND512(a,b,c,d,e,f,g,h)       \
 623          s0 = W512[(j+1)&0x0f]; \
 624          s0 = sigma0_512(s0); \
 625          s1 = W512[(j+14)&0x0f]; \
 626          s1 = sigma1_512(s1); \
 627          T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
 628               (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
 629          (d) += T1; \
 630          (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
 631          j++
 632  
 633  void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
 634          sha2_word64     a, b, c, d, e, f, g, h, s0, s1;
 635          sha2_word64     T1, *W512 = (sha2_word64*)context->buffer;
 636          int             j;
 637  
 638          /* Initialize registers with the prev. intermediate value */
 639          a = context->state[0];
 640          b = context->state[1];
 641          c = context->state[2];
 642          d = context->state[3];
 643          e = context->state[4];
 644          f = context->state[5];
 645          g = context->state[6];
 646          h = context->state[7];
 647  
 648          j = 0;
 649          do {
ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
 658          } while (j < 16);
 659  
 660          /* Now for the remaining rounds up to 79: */
 661          do {
ROUND512(a,b,c,d,e,f,g,h);
ROUND512(h,a,b,c,d,e,f,g);
ROUND512(g,h,a,b,c,d,e,f);
ROUND512(f,g,h,a,b,c,d,e);
ROUND512(e,f,g,h,a,b,c,d);
ROUND512(d,e,f,g,h,a,b,c);
ROUND512(c,d,e,f,g,h,a,b);
ROUND512(b,c,d,e,f,g,h,a);
 670          } while (j < 80);
 671  
 672          /* Compute the current intermediate hash value */
 673          context->state[0] += a;
 674          context->state[1] += b;
 675          context->state[2] += c;
 676          context->state[3] += d;
 677          context->state[4] += e;
 678          context->state[5] += f;
 679          context->state[6] += g;
 680          context->state[7] += h;
 681  
 682          /* Clean up */
 683          a = b = c = d = e = f = g = h = T1 = 0;
 684  }
 685  
 686  #else /* SHA2_UNROLL_TRANSFORM */
 687  
 688  void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
 689          sha2_word64     a, b, c, d, e, f, g, h, s0, s1;
 690          sha2_word64     T1, T2, *W512 = (sha2_word64*)context->buffer;
 691          int             j;
 692  
 693          /* Initialize registers with the prev. intermediate value */
 694          a = context->state[0];
 695          b = context->state[1];
 696          c = context->state[2];
 697          d = context->state[3];
 698          e = context->state[4];
 699          f = context->state[5];
 700          g = context->state[6];
 701          h = context->state[7];
 702  
 703          j = 0;
 704          do {
 705  #ifndef WORDS_BIGENDIAN
 706                  /* Convert TO host byte order */
REVERSE64(*data++, W512[j]);
 708                  /* Apply the SHA-512 compression function to update a..h */
 709                  T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
 710  #else
 711                  /* Apply the SHA-512 compression function to update a..h with copy */
 712                  T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
 713  #endif
 714                  T2 = Sigma0_512(a) + Maj(a, b, c);
 715                  h = g;
 716                  g = f;
 717                  f = e;
 718                  e = d + T1;
 719                  d = c;
 720                  c = b;
 721                  b = a;
 722                  a = T1 + T2;
 723  
 724                  j++;
 725          } while (j < 16);
 726  
 727          do {
 728                  /* Part of the message block expansion: */
 729                  s0 = W512[(j+1)&0x0f];
 730                  s0 = sigma0_512(s0);
 731                  s1 = W512[(j+14)&0x0f];
 732                  s1 =  sigma1_512(s1);
 733  
 734                  /* Apply the SHA-512 compression function to update a..h */
 735                  T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
 736                       (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
 737                  T2 = Sigma0_512(a) + Maj(a, b, c);
 738                  h = g;
 739                  g = f;
 740                  f = e;
 741                  e = d + T1;
 742                  d = c;
 743                  c = b;
 744                  b = a;
 745                  a = T1 + T2;
 746  
 747                  j++;
 748          } while (j < 80);
 749  
 750          /* Compute the current intermediate hash value */
 751          context->state[0] += a;
 752          context->state[1] += b;
 753          context->state[2] += c;
 754          context->state[3] += d;
 755          context->state[4] += e;
 756          context->state[5] += f;
 757          context->state[6] += g;
 758          context->state[7] += h;
 759  
 760          /* Clean up */
 761          a = b = c = d = e = f = g = h = T1 = T2 = 0;
 762  }
 763  
 764  #endif /* SHA2_UNROLL_TRANSFORM */
 765  
 766  void SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) {
 767          unsigned int    freespace, usedspace;
 768  
 769          if (len == 0) {
 770                  /* Calling with no data is valid - we do nothing */
 771                  return;
 772          }
 773  
 774          /* Sanity check: */
 775          assert(context != NULL && data != NULL);
 776  
 777          usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
 778          if (usedspace > 0) {
 779                  /* Calculate how much free space is available in the buffer */
 780                  freespace = SHA512_BLOCK_LENGTH - usedspace;
 781  
 782                  if (len >= freespace) {
 783                          /* Fill the buffer completely and process it */
MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
ADDINC128(context->bitcount, freespace << 3);
 786                          len -= freespace;
 787                          data += freespace;
SHA512_Transform(context, (const sha2_word64*)context->buffer);
 789                  } else {
 790                          /* The buffer is not yet full */
MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
ADDINC128(context->bitcount, len << 3);
 793                          /* Clean up: */
 794                          usedspace = freespace = 0;
 795                          return;
 796                  }
 797          }
 798          while (len >= SHA512_BLOCK_LENGTH) {
 799                  /* Process as many complete blocks as we can */
SHA512_Transform(context, (const sha2_word64*)data);
ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
 802                  len -= SHA512_BLOCK_LENGTH;
 803                  data += SHA512_BLOCK_LENGTH;
 804          }
 805          if (len > 0) {
 806                  /* There's left-overs, so save 'em */
MEMCPY_BCOPY(context->buffer, data, len);
ADDINC128(context->bitcount, len << 3);
 809          }
 810          /* Clean up: */
 811          usedspace = freespace = 0;
 812  }
 813  
 814  void SHA512_Last(SHA512_CTX* context) {
 815          unsigned int    usedspace;
 816  
 817          usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
 818  #ifndef WORDS_BIGENDIAN
 819          /* Convert FROM host byte order */
REVERSE64(context->bitcount[0],context->bitcount[0]);
REVERSE64(context->bitcount[1],context->bitcount[1]);
 822  #endif
 823          if (usedspace > 0) {
 824                  /* Begin padding with a 1 bit: */
 825                  context->buffer[usedspace++] = 0x80;
 826  
 827                  if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
 828                          /* Set-up for the last transform: */
MEMSET_BZERO(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
 830                  } else {
 831                          if (usedspace < SHA512_BLOCK_LENGTH) {
MEMSET_BZERO(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
 833                          }
 834                          /* Do second-to-last transform: */
SHA512_Transform(context, (const sha2_word64*)context->buffer);
 836  
 837                          /* And set-up for the last transform: */
MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH - 2);
 839                  }
 840          } else {
 841                  /* Prepare for final transform: */
MEMSET_BZERO(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
 843  
 844                  /* Begin padding with a 1 bit: */
 845                  *context->buffer = 0x80;
 846          }
 847          /* Store the length of input data (in bits): */
 848          *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
 849          *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
 850  
 851          /* Final transform: */
SHA512_Transform(context, (const sha2_word64*)context->buffer);
 853  }
 854  
 855  void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) {
 856          sha2_word64     *d = (sha2_word64*)digest;
 857  
 858          /* Sanity check: */
 859          assert(context != NULL);
 860  
 861          /* If no digest buffer is passed, we don't bother doing this: */
 862          if (digest != (sha2_byte*)0) {
SHA512_Last(context);
 864  
 865                  /* Save the hash data for output: */
 866  #ifndef WORDS_BIGENDIAN
 867                  {
 868                          /* Convert TO host byte order */
 869                          int     j;
 870                          for (j = 0; j < 8; j++) {
REVERSE64(context->state[j],context->state[j]);
 872                                  *d++ = context->state[j];
 873                          }
 874                  }
 875  #else
MEMCPY_BCOPY(d, context->state, SHA512_DIGEST_LENGTH);
 877  #endif
 878          }
 879  
 880          /* Zero out state data */
MEMSET_BZERO(context, sizeof(SHA512_CTX));
 882  }
 883  
 884  int SHA512_Equal(SHA512_CTX* pctx1, SHA512_CTX* pctx2) {
 885          return memcmp(pctx1->bitcount, pctx2->bitcount, sizeof(pctx1->bitcount)) == 0
 886                  && memcmp(pctx1->state, pctx2->state, sizeof(pctx1->state)) == 0
 887                  && memcmp(pctx1->buffer, pctx2->buffer, sizeof(pctx1->buffer)) == 0;
 888  }
 889  
 890  /*** SHA-384: *********************************************************/
 891  void SHA384_Init(SHA384_CTX* context) {
 892          if (context == (SHA384_CTX*)0) {
 893                  return;
 894          }
MEMCPY_BCOPY(context->state, sha384_initial_hash_value, SHA512_DIGEST_LENGTH);
MEMSET_BZERO(context->buffer, SHA384_BLOCK_LENGTH);
 897          context->bitcount[0] = context->bitcount[1] = 0;
 898  }
 899  
 900  void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) {
SHA512_Update((SHA512_CTX*)context, data, len);
 902  }
 903  
 904  void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) {
 905          sha2_word64     *d = (sha2_word64*)digest;
 906  
 907          /* Sanity check: */
 908          assert(context != NULL);
 909  
 910          /* If no digest buffer is passed, we don't bother doing this: */
 911          if (digest != (sha2_byte*)0) {
SHA512_Last((SHA512_CTX*)context);
 913  
 914                  /* Save the hash data for output: */
 915  #ifndef WORDS_BIGENDIAN
 916                  {
 917                          /* Convert TO host byte order */
 918                          int     j;
 919                          for (j = 0; j < 6; j++) {
REVERSE64(context->state[j],context->state[j]);
 921                                  *d++ = context->state[j];
 922                          }
 923                  }
 924  #else
MEMCPY_BCOPY(d, context->state, SHA384_DIGEST_LENGTH);
 926  #endif
 927          }
 928  
 929          /* Zero out state data */
MEMSET_BZERO(context, sizeof(SHA384_CTX));
 931  }
 932  
 933  int SHA384_Equal(SHA384_CTX* pctx1, SHA384_CTX* pctx2) {
 934          return memcmp(pctx1->bitcount, pctx2->bitcount, sizeof(pctx1->bitcount)) == 0
 935                  && memcmp(pctx1->state, pctx2->state, sizeof(pctx1->state)) == 0
 936                  && memcmp(pctx1->buffer, pctx2->buffer, sizeof(pctx1->buffer)) == 0;
 937  }