source: branches/release_2_0/base/src/pextlib1.0/sha2.c @ 81465

Last change on this file since 81465 was 81465, checked in by jmr@…, 9 years ago

merge r81464 from trunk:

add progress output to images_to_archives.tcl (#30347)

  • Property svn:eol-style set to native
  • Property svn:mergeinfo set to (toggle deleted branches)
    /trunk/base/src/pextlib1.0/sha2.cmergedeligible
    /branches/gsoc08-privileges/base/src/pextlib1.0/sha2.c37343-46937
    /branches/universal-sanity/base/src/pextlib1.0/sha2.c51872-52323
    /branches/variant-descs-14482/base/src/pextlib1.0/sha2.c34469-34855,​34900-37508,​37511-37512,​41040-41463,​42575-42626,​42640-42659
    /users/perry/base-bugs_and_notes/src/pextlib1.0/sha2.c45682-46060
    /users/perry/base-select/src/pextlib1.0/sha2.c44044-44692
File size: 13.9 KB
Line 
1/*      $OpenBSD: sha2.c,v 1.6 2004/05/03 02:57:36 millert Exp $        */
2
3/*
4 * FILE:        sha2.c
5 * AUTHOR:      Aaron D. Gifford <me@aarongifford.com>
6 *
7 * Copyright (c) 2000-2001, Aaron D. Gifford
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 *    notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 *    notice, this list of conditions and the following disclaimer in the
17 *    documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the copyright holder nor the names of contributors
19 *    may be used to endorse or promote products derived from this software
20 *    without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
35 */
36
37#include <sys/param.h>
38#include <sys/time.h>
39
40/*
41 * UNROLLED TRANSFORM LOOP NOTE:
42 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
43 * loop version for the hash transform rounds (defined using macros
44 * later in this file).  Either define on the command line, for example:
45 *
46 *   cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
47 *
48 * or define below:
49 *
50 *   #define SHA2_UNROLL_TRANSFORM
51 *
52 */
53
54
55/*** SHA-256 Machine Architecture Definitions *****************/
56/*
57 * BYTE_ORDER NOTE:
58 *
59 * Please make sure that your system defines BYTE_ORDER.  If your
60 * architecture is little-endian, make sure it also defines
61 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
62 * equivilent.
63 *
64 * If your system does not define the above, then you can do so by
65 * hand like this:
66 *
67 *   #define LITTLE_ENDIAN 1234
68 *   #define BIG_ENDIAN    4321
69 *
70 * And for little-endian machines, add:
71 *
72 *   #define BYTE_ORDER LITTLE_ENDIAN
73 *
74 * Or for big-endian machines:
75 *
76 *   #define BYTE_ORDER BIG_ENDIAN
77 *
78 * The FreeBSD machine this was written on defines BYTE_ORDER
79 * appropriately by including <sys/types.h> (which in turn includes
80 * <machine/endian.h> where the appropriate definitions are actually
81 * made).
82 */
83#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
84#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
85#endif
86
87
88/*** SHA-256 Various Length Definitions ***********************/
89/* NOTE: Most of these are in sha2.h */
90#define SHA256_SHORT_BLOCK_LENGTH       (SHA256_BLOCK_LENGTH - 8)
91
92
93/*** ENDIAN REVERSAL MACROS *******************************************/
94#if BYTE_ORDER == LITTLE_ENDIAN
95#define REVERSE32(w,x)  { \
96        u_int32_t tmp = (w); \
97        tmp = (tmp >> 16) | (tmp << 16); \
98        (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
99}
100#define REVERSE64(w,x)  { \
101        u_int64_t tmp = (w); \
102        tmp = (tmp >> 32) | (tmp << 32); \
103        tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
104              ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
105        (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
106              ((tmp & 0x0000ffff0000ffffULL) << 16); \
107}
108#endif /* BYTE_ORDER == LITTLE_ENDIAN */
109
110/*
111 * Macro for incrementally adding the unsigned 64-bit integer n to the
112 * unsigned 128-bit integer (represented using a two-element array of
113 * 64-bit words):
114 */
115#define ADDINC128(w,n)  { \
116        (w)[0] += (u_int64_t)(n); \
117        if ((w)[0] < (n)) { \
118                (w)[1]++; \
119        } \
120}
121
122/*** THE SIX LOGICAL FUNCTIONS ****************************************/
123/*
124 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
125 *
126 *   NOTE:  The naming of R and S appears backwards here (R is a SHIFT and
127 *   S is a ROTATION) because the SHA-256/384/512 description document
128 *   (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
129 *   same "backwards" definition.
130 */
131/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
132#define R(b,x)          ((x) >> (b))
133/* 32-bit Rotate-right (used in SHA-256): */
134#define S32(b,x)        (((x) >> (b)) | ((x) << (32 - (b))))
135/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
136#define S64(b,x)        (((x) >> (b)) | ((x) << (64 - (b))))
137
138/* Two of six logical functions used in SHA-256: */
139#define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
140#define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
141
142/* Four of six logical functions used in SHA-256: */
143#define Sigma0_256(x)   (S32(2,  (x)) ^ S32(13, (x)) ^ S32(22, (x)))
144#define Sigma1_256(x)   (S32(6,  (x)) ^ S32(11, (x)) ^ S32(25, (x)))
145#define sigma0_256(x)   (S32(7,  (x)) ^ S32(18, (x)) ^ R(3 ,   (x)))
146#define sigma1_256(x)   (S32(17, (x)) ^ S32(19, (x)) ^ R(10,   (x)))
147
148/*** INTERNAL FUNCTION PROTOTYPES *************************************/
149/* NOTE: These should not be accessed directly from outside this
150 * library -- they are intended for private internal visibility/use
151 * only.
152 */
153void SHA256_Transform(SHA256_CTX *, const u_int8_t *);
154
155
156/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
157/* Hash constant words K for SHA-256: */
158static const u_int32_t K256[64] = {
159        0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
160        0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
161        0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
162        0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
163        0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
164        0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
165        0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
166        0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
167        0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
168        0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
169        0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
170        0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
171        0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
172        0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
173        0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
174        0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
175};
176
177/* Initial hash value H for SHA-256: */
178static const u_int32_t sha256_initial_hash_value[8] = {
179        0x6a09e667UL,
180        0xbb67ae85UL,
181        0x3c6ef372UL,
182        0xa54ff53aUL,
183        0x510e527fUL,
184        0x9b05688cUL,
185        0x1f83d9abUL,
186        0x5be0cd19UL
187};
188
189
190
191/*** SHA-256: *********************************************************/
192void
193SHA256_Init(SHA256_CTX *context)
194{
195        if (context == NULL)
196                return;
197        bcopy(sha256_initial_hash_value, context->state, SHA256_DIGEST_LENGTH);
198        bzero(context->buffer, SHA256_BLOCK_LENGTH);
199        context->bitcount = 0;
200}
201
202#ifdef SHA2_UNROLL_TRANSFORM
203
204/* Unrolled SHA-256 round macros: */
205
206#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do {                              \
207        W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) |          \
208            ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24);        \
209        data += 4;                                                          \
210        T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
211        (d) += T1;                                                          \
212        (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c));                    \
213        j++;                                                                \
214} while(0)
215
216#define ROUND256(a,b,c,d,e,f,g,h) do {                                      \
217        s0 = W256[(j+1)&0x0f];                                              \
218        s0 = sigma0_256(s0);                                                \
219        s1 = W256[(j+14)&0x0f];                                             \
220        s1 = sigma1_256(s1);                                                \
221        T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] +          \
222             (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);                  \
223        (d) += T1;                                                          \
224        (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c));                    \
225        j++;                                                                \
226} while(0)
227
228void
229SHA256_Transform(SHA256_CTX *context, const u_int8_t *data)
230{
231        u_int32_t       a, b, c, d, e, f, g, h, s0, s1;
232        u_int32_t       T1, *W256;
233        int             j;
234
235        W256 = (u_int32_t *)context->buffer;
236
237        /* Initialize registers with the prev. intermediate value */
238        a = context->state[0];
239        b = context->state[1];
240        c = context->state[2];
241        d = context->state[3];
242        e = context->state[4];
243        f = context->state[5];
244        g = context->state[6];
245        h = context->state[7];
246
247        j = 0;
248        do {
249                /* Rounds 0 to 15 (unrolled): */
250                ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
251                ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
252                ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
253                ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
254                ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
255                ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
256                ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
257                ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
258        } while (j < 16);
259
260        /* Now for the remaining rounds to 64: */
261        do {
262                ROUND256(a,b,c,d,e,f,g,h);
263                ROUND256(h,a,b,c,d,e,f,g);
264                ROUND256(g,h,a,b,c,d,e,f);
265                ROUND256(f,g,h,a,b,c,d,e);
266                ROUND256(e,f,g,h,a,b,c,d);
267                ROUND256(d,e,f,g,h,a,b,c);
268                ROUND256(c,d,e,f,g,h,a,b);
269                ROUND256(b,c,d,e,f,g,h,a);
270        } while (j < 64);
271
272        /* Compute the current intermediate hash value */
273        context->state[0] += a;
274        context->state[1] += b;
275        context->state[2] += c;
276        context->state[3] += d;
277        context->state[4] += e;
278        context->state[5] += f;
279        context->state[6] += g;
280        context->state[7] += h;
281
282        /* Clean up */
283        a = b = c = d = e = f = g = h = T1 = 0;
284}
285
286#else /* SHA2_UNROLL_TRANSFORM */
287
288void
289SHA256_Transform(SHA256_CTX *context, const u_int8_t *data)
290{
291        u_int32_t       a, b, c, d, e, f, g, h, s0, s1;
292        u_int32_t       T1, T2, *W256;
293        int             j;
294
295        W256 = (u_int32_t *)context->buffer;
296
297        /* Initialize registers with the prev. intermediate value */
298        a = context->state[0];
299        b = context->state[1];
300        c = context->state[2];
301        d = context->state[3];
302        e = context->state[4];
303        f = context->state[5];
304        g = context->state[6];
305        h = context->state[7];
306
307        j = 0;
308        do {
309                W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) |
310                    ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24);
311                data += 4;
312                /* Apply the SHA-256 compression function to update a..h */
313                T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
314                T2 = Sigma0_256(a) + Maj(a, b, c);
315                h = g;
316                g = f;
317                f = e;
318                e = d + T1;
319                d = c;
320                c = b;
321                b = a;
322                a = T1 + T2;
323
324                j++;
325        } while (j < 16);
326
327        do {
328                /* Part of the message block expansion: */
329                s0 = W256[(j+1)&0x0f];
330                s0 = sigma0_256(s0);
331                s1 = W256[(j+14)&0x0f]; 
332                s1 = sigma1_256(s1);
333
334                /* Apply the SHA-256 compression function to update a..h */
335                T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 
336                     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
337                T2 = Sigma0_256(a) + Maj(a, b, c);
338                h = g;
339                g = f;
340                f = e;
341                e = d + T1;
342                d = c;
343                c = b;
344                b = a;
345                a = T1 + T2;
346
347                j++;
348        } while (j < 64);
349
350        /* Compute the current intermediate hash value */
351        context->state[0] += a;
352        context->state[1] += b;
353        context->state[2] += c;
354        context->state[3] += d;
355        context->state[4] += e;
356        context->state[5] += f;
357        context->state[6] += g;
358        context->state[7] += h;
359
360        /* Clean up */
361        a = b = c = d = e = f = g = h = T1 = T2 = 0;
362}
363
364#endif /* SHA2_UNROLL_TRANSFORM */
365
366void
367SHA256_Update(SHA256_CTX *context, const u_int8_t *data, size_t len)
368{
369        size_t  freespace, usedspace;
370
371        /* Calling with no data is valid (we do nothing) */
372        if (len == 0)
373                return;
374
375        usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
376        if (usedspace > 0) {
377                /* Calculate how much free space is available in the buffer */
378                freespace = SHA256_BLOCK_LENGTH - usedspace;
379
380                if (len >= freespace) {
381                        /* Fill the buffer completely and process it */
382                        bcopy(data, &context->buffer[usedspace], freespace);
383                        context->bitcount += freespace << 3;
384                        len -= freespace;
385                        data += freespace;
386                        SHA256_Transform(context, context->buffer);
387                } else {
388                        /* The buffer is not yet full */
389                        bcopy(data, &context->buffer[usedspace], len);
390                        context->bitcount += len << 3;
391                        /* Clean up: */
392                        usedspace = freespace = 0;
393                        return;
394                }
395        }
396        while (len >= SHA256_BLOCK_LENGTH) {
397                /* Process as many complete blocks as we can */
398                SHA256_Transform(context, data);
399                context->bitcount += SHA256_BLOCK_LENGTH << 3;
400                len -= SHA256_BLOCK_LENGTH;
401                data += SHA256_BLOCK_LENGTH;
402        }
403        if (len > 0) {
404                /* There's left-overs, so save 'em */
405                bcopy(data, context->buffer, len);
406                context->bitcount += len << 3;
407        }
408        /* Clean up: */
409        usedspace = freespace = 0;
410}
411
412void
413SHA256_Final(u_int8_t digest[], SHA256_CTX *context)
414{
415        u_int32_t       *d = (u_int32_t *)digest;
416        unsigned int    usedspace;
417
418        /* If no digest buffer is passed, we don't bother doing this: */
419        if (digest != NULL) {
420                usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
421#if BYTE_ORDER == LITTLE_ENDIAN
422                /* Convert FROM host byte order */
423                REVERSE64(context->bitcount,context->bitcount);
424#endif
425                if (usedspace > 0) {
426                        /* Begin padding with a 1 bit: */
427                        context->buffer[usedspace++] = 0x80;
428
429                        if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
430                                /* Set-up for the last transform: */
431                                bzero(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
432                        } else {
433                                if (usedspace < SHA256_BLOCK_LENGTH) {
434                                        bzero(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
435                                }
436                                /* Do second-to-last transform: */
437                                SHA256_Transform(context, context->buffer);
438
439                                /* And set-up for the last transform: */
440                                bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
441                        }
442                } else {
443                        /* Set-up for the last transform: */
444                        bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
445
446                        /* Begin padding with a 1 bit: */
447                        *context->buffer = 0x80;
448                }
449                /* Set the bit count: */
450                *(u_int64_t *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
451
452                /* Final transform: */
453                SHA256_Transform(context, context->buffer);
454
455#if BYTE_ORDER == LITTLE_ENDIAN
456                {
457                        /* Convert TO host byte order */
458                        int     j;
459                        for (j = 0; j < 8; j++) {
460                                REVERSE32(context->state[j],context->state[j]);
461                                *d++ = context->state[j];
462                        }
463                }
464#else
465                bcopy(context->state, d, SHA256_DIGEST_LENGTH);
466#endif
467        }
468
469        /* Clean up state data: */
470        bzero(context, sizeof(*context));
471        usedspace = 0;
472}
Note: See TracBrowser for help on using the repository browser.