2 * Copyright (c) 2013 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 * Implementation of SHA-224, SHA-256, SHA-384 and SHA-512
19 * as per FIPS 180-4: Secure Hash Standard (SHS)
20 * http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
22 * Derived from the public domain SHA-1 and SHA-2 implementations
23 * by Steve Reid and Wei Dai respectively.
36 #endif /* STDC_HEADERS */
38 # if defined(HAVE_MEMORY_H) && !defined(STDC_HEADERS)
42 #endif /* HAVE_STRING_H */
45 #endif /* HAVE_STRINGS_H */
46 #if defined(HAVE_STDINT_H)
48 #elif defined(HAVE_INTTYPES_H)
49 # include <inttypes.h>
51 #if defined(HAVE_ENDIAN_H)
53 #elif defined(HAVE_SYS_ENDIAN_H)
54 # include <sys/endian.h>
55 #elif defined(HAVE_MACHINE_ENDIAN_H)
56 # include <machine/endian.h>
58 # include "compat/endian.h"
64 * SHA-2 operates on 32-bit and 64-bit words in big endian byte order.
65 * The following macros convert between character arrays and big endian words.
67 #define BE8TO32(x, y) do { \
68 (x) = (((uint32_t)((y)[0] & 255) << 24) | \
69 ((uint32_t)((y)[1] & 255) << 16) | \
70 ((uint32_t)((y)[2] & 255) << 8) | \
71 ((uint32_t)((y)[3] & 255))); \
74 #define BE8TO64(x, y) do { \
75 (x) = (((uint64_t)((y)[0] & 255) << 56) | \
76 ((uint64_t)((y)[1] & 255) << 48) | \
77 ((uint64_t)((y)[2] & 255) << 40) | \
78 ((uint64_t)((y)[3] & 255) << 32) | \
79 ((uint64_t)((y)[4] & 255) << 24) | \
80 ((uint64_t)((y)[5] & 255) << 16) | \
81 ((uint64_t)((y)[6] & 255) << 8) | \
82 ((uint64_t)((y)[7] & 255))); \
85 #define BE32TO8(x, y) do { \
86 (x)[0] = (uint8_t)(((y) >> 24) & 255); \
87 (x)[1] = (uint8_t)(((y) >> 16) & 255); \
88 (x)[2] = (uint8_t)(((y) >> 8) & 255); \
89 (x)[3] = (uint8_t)((y) & 255); \
92 #define BE64TO8(x, y) do { \
93 (x)[0] = (uint8_t)(((y) >> 56) & 255); \
94 (x)[1] = (uint8_t)(((y) >> 48) & 255); \
95 (x)[2] = (uint8_t)(((y) >> 40) & 255); \
96 (x)[3] = (uint8_t)(((y) >> 32) & 255); \
97 (x)[4] = (uint8_t)(((y) >> 24) & 255); \
98 (x)[5] = (uint8_t)(((y) >> 16) & 255); \
99 (x)[6] = (uint8_t)(((y) >> 8) & 255); \
100 (x)[7] = (uint8_t)((y) & 255); \
103 #define rotrFixed(x,y) (y ? ((x>>y) | (x<<(sizeof(x)*8-y))) : x)
105 #define blk0(i) (W[i])
106 #define blk2(i) (W[i&15]+=s1(W[(i-2)&15])+W[(i-7)&15]+s0(W[(i-15)&15]))
108 #define Ch(x,y,z) (z^(x&(y^z)))
109 #define Maj(x,y,z) (y^((x^y)&(y^z)))
111 #define a(i) T[(0-i)&7]
112 #define b(i) T[(1-i)&7]
113 #define c(i) T[(2-i)&7]
114 #define d(i) T[(3-i)&7]
115 #define e(i) T[(4-i)&7]
116 #define f(i) T[(5-i)&7]
117 #define g(i) T[(6-i)&7]
118 #define h(i) T[(7-i)&7]
120 extern void zero_bytes(volatile void *, size_t);
123 SHA224Init(SHA2_CTX *ctx)
125 memset(ctx, 0, sizeof(*ctx));
126 ctx->state.st32[0] = 0xc1059ed8UL;
127 ctx->state.st32[1] = 0x367cd507UL;
128 ctx->state.st32[2] = 0x3070dd17UL;
129 ctx->state.st32[3] = 0xf70e5939UL;
130 ctx->state.st32[4] = 0xffc00b31UL;
131 ctx->state.st32[5] = 0x68581511UL;
132 ctx->state.st32[6] = 0x64f98fa7UL;
133 ctx->state.st32[7] = 0xbefa4fa4UL;
137 SHA224Transform(uint32_t state[8], const uint8_t buffer[SHA224_BLOCK_LENGTH])
139 SHA256Transform(state, buffer);
143 SHA224Update(SHA2_CTX *ctx, const uint8_t *data, size_t len)
145 SHA256Update(ctx, data, len);
149 SHA224Pad(SHA2_CTX *ctx)
155 SHA224Final(uint8_t digest[SHA224_DIGEST_LENGTH], SHA2_CTX *ctx)
158 if (digest != NULL) {
159 #if BYTE_ORDER == BIG_ENDIAN
160 memcpy(digest, ctx->state.st32, SHA224_DIGEST_LENGTH);
164 for (i = 0; i < 7; i++)
165 BE32TO8(digest + (i * 4), ctx->state.st32[i]);
167 memset(ctx, 0, sizeof(*ctx));
171 static const uint32_t SHA256_K[64] = {
172 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
173 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
174 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
175 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
176 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
177 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
178 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
179 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
180 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
181 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
182 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
183 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
184 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
185 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
186 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
187 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
191 SHA256Init(SHA2_CTX *ctx)
193 memset(ctx, 0, sizeof(*ctx));
194 ctx->state.st32[0] = 0x6a09e667UL;
195 ctx->state.st32[1] = 0xbb67ae85UL;
196 ctx->state.st32[2] = 0x3c6ef372UL;
197 ctx->state.st32[3] = 0xa54ff53aUL;
198 ctx->state.st32[4] = 0x510e527fUL;
199 ctx->state.st32[5] = 0x9b05688cUL;
200 ctx->state.st32[6] = 0x1f83d9abUL;
201 ctx->state.st32[7] = 0x5be0cd19UL;
204 /* Round macros for SHA256 */
206 h(i)+=S1(e(i))+Ch(e(i),f(i),g(i))+SHA256_K[i+j]+(j?blk2(i):blk0(i)); \
208 h(i)+=S0(a(i))+Maj(a(i),b(i),c(i)); \
211 #define S0(x) (rotrFixed(x,2)^rotrFixed(x,13)^rotrFixed(x,22))
212 #define S1(x) (rotrFixed(x,6)^rotrFixed(x,11)^rotrFixed(x,25))
213 #define s0(x) (rotrFixed(x,7)^rotrFixed(x,18)^(x>>3))
214 #define s1(x) (rotrFixed(x,17)^rotrFixed(x,19)^(x>>10))
217 SHA256Transform(uint32_t state[8], const uint8_t data[SHA256_BLOCK_LENGTH])
223 /* Copy context state to working vars. */
224 memcpy(T, state, sizeof(T));
225 /* Copy data to W in big endian format. */
226 #if BYTE_ORDER == BIG_ENDIAN
227 memcpy(W, data, sizeof(W));
229 for (j = 0; j < 16; j++) {
234 /* 64 operations, partially loop unrolled. */
235 for (j = 0; j < 64; j += 16)
237 R( 0); R( 1); R( 2); R( 3);
238 R( 4); R( 5); R( 6); R( 7);
239 R( 8); R( 9); R(10); R(11);
240 R(12); R(13); R(14); R(15);
242 /* Add the working vars back into context state. */
252 zero_bytes(T, sizeof(T));
253 zero_bytes(W, sizeof(W));
263 SHA256Update(SHA2_CTX *ctx, const uint8_t *data, size_t len)
267 j = (size_t)((ctx->count[0] >> 3) & (SHA256_BLOCK_LENGTH - 1));
268 ctx->count[0] += (len << 3);
269 if ((j + len) > SHA256_BLOCK_LENGTH - 1) {
270 memcpy(&ctx->buffer[j], data, (i = SHA256_BLOCK_LENGTH - j));
271 SHA256Transform(ctx->state.st32, ctx->buffer);
272 for ( ; i + SHA256_BLOCK_LENGTH - 1 < len; i += SHA256_BLOCK_LENGTH)
273 SHA256Transform(ctx->state.st32, (uint8_t *)&data[i]);
276 memcpy(&ctx->buffer[j], &data[i], len - i);
280 SHA256Pad(SHA2_CTX *ctx)
282 uint8_t finalcount[8];
284 /* Store unpadded message length in bits in big endian format. */
285 BE64TO8(finalcount, ctx->count[0]);
287 /* Append a '1' bit (0x80) to the message. */
288 SHA256Update(ctx, (uint8_t *)"\200", 1);
290 /* Pad message such that the resulting length modulo 512 is 448. */
291 while ((ctx->count[0] & 504) != 448)
292 SHA256Update(ctx, (uint8_t *)"\0", 1);
294 /* Append length of message in bits and do final SHA256Transform(). */
295 SHA256Update(ctx, finalcount, sizeof(finalcount));
299 SHA256Final(uint8_t digest[SHA256_DIGEST_LENGTH], SHA2_CTX *ctx)
302 if (digest != NULL) {
303 #if BYTE_ORDER == BIG_ENDIAN
304 memcpy(digest, ctx->state.st32, SHA256_DIGEST_LENGTH);
308 for (i = 0; i < 8; i++)
309 BE32TO8(digest + (i * 4), ctx->state.st32[i]);
311 memset(ctx, 0, sizeof(*ctx));
316 SHA384Init(SHA2_CTX *ctx)
318 memset(ctx, 0, sizeof(*ctx));
319 ctx->state.st64[0] = 0xcbbb9d5dc1059ed8ULL;
320 ctx->state.st64[1] = 0x629a292a367cd507ULL;
321 ctx->state.st64[2] = 0x9159015a3070dd17ULL;
322 ctx->state.st64[3] = 0x152fecd8f70e5939ULL;
323 ctx->state.st64[4] = 0x67332667ffc00b31ULL;
324 ctx->state.st64[5] = 0x8eb44a8768581511ULL;
325 ctx->state.st64[6] = 0xdb0c2e0d64f98fa7ULL;
326 ctx->state.st64[7] = 0x47b5481dbefa4fa4ULL;
330 SHA384Transform(uint64_t state[8], const uint8_t data[SHA384_BLOCK_LENGTH])
332 SHA512Transform(state, data);
336 SHA384Update(SHA2_CTX *ctx, const uint8_t *data, size_t len)
338 SHA512Update(ctx, data, len);
342 SHA384Pad(SHA2_CTX *ctx)
348 SHA384Final(uint8_t digest[SHA384_DIGEST_LENGTH], SHA2_CTX *ctx)
351 if (digest != NULL) {
352 #if BYTE_ORDER == BIG_ENDIAN
353 memcpy(digest, ctx->state.st64, SHA384_DIGEST_LENGTH);
357 for (i = 0; i < 6; i++)
358 BE64TO8(digest + (i * 8), ctx->state.st64[i]);
360 memset(ctx, 0, sizeof(*ctx));
364 static const uint64_t SHA512_K[80] = {
365 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
366 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
367 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
368 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
369 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
370 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
371 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
372 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
373 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
374 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
375 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
376 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
377 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
378 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
379 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
380 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
381 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
382 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
383 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
384 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
385 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
386 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
387 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
388 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
389 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
390 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
391 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
392 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
393 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
394 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
395 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
396 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
397 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
398 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
399 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
400 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
401 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
402 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
403 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
404 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
408 SHA512Init(SHA2_CTX *ctx)
410 memset(ctx, 0, sizeof(*ctx));
411 ctx->state.st64[0] = 0x6a09e667f3bcc908ULL;
412 ctx->state.st64[1] = 0xbb67ae8584caa73bULL;
413 ctx->state.st64[2] = 0x3c6ef372fe94f82bULL;
414 ctx->state.st64[3] = 0xa54ff53a5f1d36f1ULL;
415 ctx->state.st64[4] = 0x510e527fade682d1ULL;
416 ctx->state.st64[5] = 0x9b05688c2b3e6c1fULL;
417 ctx->state.st64[6] = 0x1f83d9abfb41bd6bULL;
418 ctx->state.st64[7] = 0x5be0cd19137e2179ULL;
421 /* Round macros for SHA512 */
423 h(i)+=S1(e(i))+Ch(e(i),f(i),g(i))+SHA512_K[i+j]+(j?blk2(i):blk0(i)); \
425 h(i)+=S0(a(i))+Maj(a(i),b(i),c(i)); \
428 #define S0(x) (rotrFixed(x,28)^rotrFixed(x,34)^rotrFixed(x,39))
429 #define S1(x) (rotrFixed(x,14)^rotrFixed(x,18)^rotrFixed(x,41))
430 #define s0(x) (rotrFixed(x,1)^rotrFixed(x,8)^(x>>7))
431 #define s1(x) (rotrFixed(x,19)^rotrFixed(x,61)^(x>>6))
434 SHA512Transform(uint64_t state[8], const uint8_t data[SHA512_BLOCK_LENGTH])
440 /* Copy context state to working vars. */
441 memcpy(T, state, sizeof(T));
442 /* Copy data to W in big endian format. */
443 #if BYTE_ORDER == BIG_ENDIAN
444 memcpy(W, data, sizeof(W));
446 for (j = 0; j < 16; j++) {
451 /* 80 operations, partially loop unrolled. */
452 for (j = 0; j < 80; j += 16)
454 R( 0); R( 1); R( 2); R( 3);
455 R( 4); R( 5); R( 6); R( 7);
456 R( 8); R( 9); R(10); R(11);
457 R(12); R(13); R(14); R(15);
459 /* Add the working vars back into context state. */
469 zero_bytes(T, sizeof(T));
470 zero_bytes(W, sizeof(W));
474 SHA512Update(SHA2_CTX *ctx, const uint8_t *data, size_t len)
478 j = (size_t)((ctx->count[0] >> 3) & (SHA512_BLOCK_LENGTH - 1));
479 ctx->count[0] += (len << 3);
480 if (ctx->count[0] < (len << 3))
482 if ((j + len) > SHA512_BLOCK_LENGTH - 1) {
483 memcpy(&ctx->buffer[j], data, (i = SHA512_BLOCK_LENGTH - j));
484 SHA512Transform(ctx->state.st64, ctx->buffer);
485 for ( ; i + SHA512_BLOCK_LENGTH - 1 < len; i += SHA512_BLOCK_LENGTH)
486 SHA512Transform(ctx->state.st64, (uint8_t *)&data[i]);
489 memcpy(&ctx->buffer[j], &data[i], len - i);
493 SHA512Pad(SHA2_CTX *ctx)
495 uint8_t finalcount[16];
497 /* Store unpadded message length in bits in big endian format. */
498 BE64TO8(finalcount, ctx->count[1]);
499 BE64TO8(finalcount + 8, ctx->count[0]);
501 /* Append a '1' bit (0x80) to the message. */
502 SHA512Update(ctx, (uint8_t *)"\200", 1);
504 /* Pad message such that the resulting length modulo 1024 is 896. */
505 while ((ctx->count[0] & 1008) != 896)
506 SHA512Update(ctx, (uint8_t *)"\0", 1);
508 /* Append length of message in bits and do final SHA512Transform(). */
509 SHA512Update(ctx, finalcount, sizeof(finalcount));
513 SHA512Final(uint8_t digest[SHA512_DIGEST_LENGTH], SHA2_CTX *ctx)
516 if (digest != NULL) {
517 #if BYTE_ORDER == BIG_ENDIAN
518 memcpy(digest, ctx->state.st64, SHA512_DIGEST_LENGTH);
522 for (i = 0; i < 8; i++)
523 BE64TO8(digest + (i * 8), ctx->state.st64[i]);
525 memset(ctx, 0, sizeof(*ctx));