sha2.c
Go to the documentation of this file.
1 /*
2  * FILE: sha2.c
3  * AUTHOR: Aaron D. Gifford - http://www.aarongifford.com/
4  *
5  * Copyright (c) 2000-2001, Aaron D. Gifford
6  * All rights reserved.
7  *
8  * Modified by Jelte Jansen to fit in ldns, and not clash with any
9  * system-defined SHA code.
10  * Changes:
11  * - Renamed (external) functions and constants to fit ldns style
12  * - Removed _End and _Data functions
13  * - Added ldns_shaX(data, len, digest) convenience functions
14  * - Removed prototypes of _Transform functions and made those static
15  *
16  * Redistribution and use in source and binary forms, with or without
17  * modification, are permitted provided that the following conditions
18  * are met:
19  * 1. Redistributions of source code must retain the above copyright
20  * notice, this list of conditions and the following disclaimer.
21  * 2. Redistributions in binary form must reproduce the above copyright
22  * notice, this list of conditions and the following disclaimer in the
23  * documentation and/or other materials provided with the distribution.
24  * 3. Neither the name of the copyright holder nor the names of contributors
25  * may be used to endorse or promote products derived from this software
26  * without specific prior written permission.
27  *
28  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
29  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
30  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
31  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
32  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
33  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
34  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
35  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
37  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38  * SUCH DAMAGE.
39  *
40  * $Id: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
41  */
42 
43 #include <ldns/config.h>
44 #include <string.h> /* memcpy()/memset() or bcopy()/bzero() */
45 #include <assert.h> /* assert() */
46 #include <ldns/sha2.h>
47 
48 /*
49  * ASSERT NOTE:
50  * Some sanity checking code is included using assert(). On my FreeBSD
51  * system, this additional code can be removed by compiling with NDEBUG
52  * defined. Check your own systems manpage on assert() to see how to
53  * compile WITHOUT the sanity checking code on your system.
54  *
55  * UNROLLED TRANSFORM LOOP NOTE:
56  * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
57  * loop version for the hash transform rounds (defined using macros
58  * later in this file). Either define on the command line, for example:
59  *
60  * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
61  *
62  * or define below:
63  *
64  * #define SHA2_UNROLL_TRANSFORM
65  *
66  */
67 
68 
69 /*** SHA-256/384/512 Machine Architecture Definitions *****************/
70 /*
71  * BYTE_ORDER NOTE:
72  *
73  * Please make sure that your system defines BYTE_ORDER. If your
74  * architecture is little-endian, make sure it also defines
75  * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
76  * equivalent.
77  *
78  * If your system does not define the above, then you can do so by
79  * hand like this:
80  *
81  * #define LITTLE_ENDIAN 1234
82  * #define BIG_ENDIAN 4321
83  *
84  * And for little-endian machines, add:
85  *
86  * #define BYTE_ORDER LITTLE_ENDIAN
87  *
88  * Or for big-endian machines:
89  *
90  * #define BYTE_ORDER BIG_ENDIAN
91  *
92  * The FreeBSD machine this was written on defines BYTE_ORDER
93  * appropriately by including <sys/types.h> (which in turn includes
94  * <machine/endian.h> where the appropriate definitions are actually
95  * made).
96  */
97 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
98 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
99 #endif
100 
101 typedef uint8_t sha2_byte; /* Exactly 1 byte */
102 typedef uint32_t sha2_word32; /* Exactly 4 bytes */
103 #ifdef S_SPLINT_S
104 typedef unsigned long long sha2_word64; /* lint 8 bytes */
105 #else
106 typedef uint64_t sha2_word64; /* Exactly 8 bytes */
107 #endif
108 
109 /*** SHA-256/384/512 Various Length Definitions ***********************/
110 /* NOTE: Most of these are in sha2.h */
111 #define ldns_sha256_SHORT_BLOCK_LENGTH (LDNS_SHA256_BLOCK_LENGTH - 8)
112 #define ldns_sha384_SHORT_BLOCK_LENGTH (LDNS_SHA384_BLOCK_LENGTH - 16)
113 #define ldns_sha512_SHORT_BLOCK_LENGTH (LDNS_SHA512_BLOCK_LENGTH - 16)
114 
115 
116 /*** ENDIAN REVERSAL MACROS *******************************************/
117 #if BYTE_ORDER == LITTLE_ENDIAN
118 #define REVERSE32(w,x) { \
119  sha2_word32 tmp = (w); \
120  tmp = (tmp >> 16) | (tmp << 16); \
121  (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
122 }
123 #ifndef S_SPLINT_S
124 #define REVERSE64(w,x) { \
125  sha2_word64 tmp = (w); \
126  tmp = (tmp >> 32) | (tmp << 32); \
127  tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
128  ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
129  (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
130  ((tmp & 0x0000ffff0000ffffULL) << 16); \
131 }
132 #else /* splint */
133 #define REVERSE64(w,x) /* splint */
134 #endif /* splint */
135 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
136 
137 /*
138  * Macro for incrementally adding the unsigned 64-bit integer n to the
139  * unsigned 128-bit integer (represented using a two-element array of
140  * 64-bit words):
141  */
142 #define ADDINC128(w,n) { \
143  (w)[0] += (sha2_word64)(n); \
144  if ((w)[0] < (n)) { \
145  (w)[1]++; \
146  } \
147 }
148 #ifdef S_SPLINT_S
149 #undef ADDINC128
150 #define ADDINC128(w,n) /* splint */
151 #endif
152 
153 /*
154  * Macros for copying blocks of memory and for zeroing out ranges
155  * of memory. Using these macros makes it easy to switch from
156  * using memset()/memcpy() and using bzero()/bcopy().
157  *
158  * Please define either SHA2_USE_MEMSET_MEMCPY or define
159  * SHA2_USE_BZERO_BCOPY depending on which function set you
160  * choose to use:
161  */
162 #if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY)
163 /* Default to memset()/memcpy() if no option is specified */
164 #define SHA2_USE_MEMSET_MEMCPY 1
165 #endif
166 #if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY)
167 /* Abort with an error if BOTH options are defined */
168 #error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both!
169 #endif
170 
171 #ifdef SHA2_USE_MEMSET_MEMCPY
172 #define MEMSET_BZERO(p,l) memset((p), 0, (l))
173 #define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l))
174 #endif
175 #ifdef SHA2_USE_BZERO_BCOPY
176 #define MEMSET_BZERO(p,l) bzero((p), (l))
177 #define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l))
178 #endif
179 
180 
181 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
182 /*
183  * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
184  *
185  * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
186  * S is a ROTATION) because the SHA-256/384/512 description document
187  * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
188  * same "backwards" definition.
189  */
190 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
191 #define R(b,x) ((x) >> (b))
192 /* 32-bit Rotate-right (used in SHA-256): */
193 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
194 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
195 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
196 
197 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
198 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
199 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
200 
201 /* Four of six logical functions used in SHA-256: */
202 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
203 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
204 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
205 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
206 
207 /* Four of six logical functions used in SHA-384 and SHA-512: */
208 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
209 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
210 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
211 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
212 
213 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
214 /* Hash constant words K for SHA-256: */
215 static const sha2_word32 K256[64] = {
216  0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
217  0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
218  0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
219  0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
220  0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
221  0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
222  0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
223  0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
224  0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
225  0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
226  0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
227  0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
228  0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
229  0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
230  0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
231  0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
232 };
233 
234 /* initial hash value H for SHA-256: */
235 static const sha2_word32 ldns_sha256_initial_hash_value[8] = {
236  0x6a09e667UL,
237  0xbb67ae85UL,
238  0x3c6ef372UL,
239  0xa54ff53aUL,
240  0x510e527fUL,
241  0x9b05688cUL,
242  0x1f83d9abUL,
243  0x5be0cd19UL
244 };
245 
246 /* Hash constant words K for SHA-384 and SHA-512: */
247 static const sha2_word64 K512[80] = {
248  0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
249  0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
250  0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
251  0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
252  0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
253  0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
254  0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
255  0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
256  0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
257  0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
258  0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
259  0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
260  0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
261  0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
262  0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
263  0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
264  0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
265  0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
266  0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
267  0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
268  0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
269  0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
270  0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
271  0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
272  0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
273  0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
274  0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
275  0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
276  0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
277  0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
278  0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
279  0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
280  0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
281  0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
282  0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
283  0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
284  0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
285  0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
286  0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
287  0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
288 };
289 
290 /* initial hash value H for SHA-384 */
291 static const sha2_word64 sha384_initial_hash_value[8] = {
292  0xcbbb9d5dc1059ed8ULL,
293  0x629a292a367cd507ULL,
294  0x9159015a3070dd17ULL,
295  0x152fecd8f70e5939ULL,
296  0x67332667ffc00b31ULL,
297  0x8eb44a8768581511ULL,
298  0xdb0c2e0d64f98fa7ULL,
299  0x47b5481dbefa4fa4ULL
300 };
301 
302 /* initial hash value H for SHA-512 */
303 static const sha2_word64 sha512_initial_hash_value[8] = {
304  0x6a09e667f3bcc908ULL,
305  0xbb67ae8584caa73bULL,
306  0x3c6ef372fe94f82bULL,
307  0xa54ff53a5f1d36f1ULL,
308  0x510e527fade682d1ULL,
309  0x9b05688c2b3e6c1fULL,
310  0x1f83d9abfb41bd6bULL,
311  0x5be0cd19137e2179ULL
312 };
313 
314 /*** SHA-256: *********************************************************/
316  if (context == (ldns_sha256_CTX*)0) {
317  return;
318  }
319  MEMCPY_BCOPY(context->state, ldns_sha256_initial_hash_value, LDNS_SHA256_DIGEST_LENGTH);
321  context->bitcount = 0;
322 }
323 
324 #ifdef SHA2_UNROLL_TRANSFORM
325 
326 /* Unrolled SHA-256 round macros: */
327 
328 #if BYTE_ORDER == LITTLE_ENDIAN
329 
330 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
331  REVERSE32(*data++, W256[j]); \
332  T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
333  K256[j] + W256[j]; \
334  (d) += T1; \
335  (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
336  j++
337 
338 
339 #else /* BYTE_ORDER == LITTLE_ENDIAN */
340 
341 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
342  T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
343  K256[j] + (W256[j] = *data++); \
344  (d) += T1; \
345  (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
346  j++
347 
348 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
349 
350 #define ROUND256(a,b,c,d,e,f,g,h) \
351  s0 = W256[(j+1)&0x0f]; \
352  s0 = sigma0_256(s0); \
353  s1 = W256[(j+14)&0x0f]; \
354  s1 = sigma1_256(s1); \
355  T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
356  (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
357  (d) += T1; \
358  (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
359  j++
360 
361 static void ldns_sha256_Transform(ldns_sha256_CTX* context,
362  const sha2_word32* data) {
363  sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
364  sha2_word32 T1, *W256;
365  int j;
366 
367  W256 = (sha2_word32*)context->buffer;
368 
369  /* initialize registers with the prev. intermediate value */
370  a = context->state[0];
371  b = context->state[1];
372  c = context->state[2];
373  d = context->state[3];
374  e = context->state[4];
375  f = context->state[5];
376  g = context->state[6];
377  h = context->state[7];
378 
379  j = 0;
380  do {
381  /* Rounds 0 to 15 (unrolled): */
382  ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
383  ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
384  ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
385  ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
386  ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
387  ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
388  ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
389  ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
390  } while (j < 16);
391 
392  /* Now for the remaining rounds to 64: */
393  do {
394  ROUND256(a,b,c,d,e,f,g,h);
395  ROUND256(h,a,b,c,d,e,f,g);
396  ROUND256(g,h,a,b,c,d,e,f);
397  ROUND256(f,g,h,a,b,c,d,e);
398  ROUND256(e,f,g,h,a,b,c,d);
399  ROUND256(d,e,f,g,h,a,b,c);
400  ROUND256(c,d,e,f,g,h,a,b);
401  ROUND256(b,c,d,e,f,g,h,a);
402  } while (j < 64);
403 
404  /* Compute the current intermediate hash value */
405  context->state[0] += a;
406  context->state[1] += b;
407  context->state[2] += c;
408  context->state[3] += d;
409  context->state[4] += e;
410  context->state[5] += f;
411  context->state[6] += g;
412  context->state[7] += h;
413 
414  /* Clean up */
415  a = b = c = d = e = f = g = h = T1 = 0;
416 }
417 
418 #else /* SHA2_UNROLL_TRANSFORM */
419 
420 static void ldns_sha256_Transform(ldns_sha256_CTX* context,
421  const sha2_word32* data) {
422  sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
423  sha2_word32 T1, T2, *W256;
424  int j;
425 
426  W256 = (sha2_word32*)context->buffer;
427 
428  /* initialize registers with the prev. intermediate value */
429  a = context->state[0];
430  b = context->state[1];
431  c = context->state[2];
432  d = context->state[3];
433  e = context->state[4];
434  f = context->state[5];
435  g = context->state[6];
436  h = context->state[7];
437 
438  j = 0;
439  do {
441  /* Copy data while converting to host byte order */
442  REVERSE32(*data++,W256[j]);
443  /* Apply the SHA-256 compression function to update a..h */
444  T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
445 #else /* BYTE_ORDER == LITTLE_ENDIAN */
446  /* Apply the SHA-256 compression function to update a..h with copy */
447  T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
448 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
449  T2 = Sigma0_256(a) + Maj(a, b, c);
450  h = g;
451  g = f;
452  f = e;
453  e = d + T1;
454  d = c;
455  c = b;
456  b = a;
457  a = T1 + T2;
458 
459  j++;
460  } while (j < 16);
461 
462  do {
463  /* Part of the message block expansion: */
464  s0 = W256[(j+1)&0x0f];
465  s0 = sigma0_256(s0);
466  s1 = W256[(j+14)&0x0f];
467  s1 = sigma1_256(s1);
468 
469  /* Apply the SHA-256 compression function to update a..h */
470  T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
471  (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
472  T2 = Sigma0_256(a) + Maj(a, b, c);
473  h = g;
474  g = f;
475  f = e;
476  e = d + T1;
477  d = c;
478  c = b;
479  b = a;
480  a = T1 + T2;
481 
482  j++;
483  } while (j < 64);
484 
485  /* Compute the current intermediate hash value */
486  context->state[0] += a;
487  context->state[1] += b;
488  context->state[2] += c;
489  context->state[3] += d;
490  context->state[4] += e;
491  context->state[5] += f;
492  context->state[6] += g;
493  context->state[7] += h;
494 
495  /* Clean up */
496  a = b = c = d = e = f = g = h = T1 = T2 = 0;
497  (void)a;
498 }
499 
500 #endif /* SHA2_UNROLL_TRANSFORM */
501 
502 void ldns_sha256_update(ldns_sha256_CTX* context, const sha2_byte *data, size_t len) {
503  size_t freespace, usedspace;
504 
505  if (len == 0) {
506  /* Calling with no data is valid - we do nothing */
507  return;
508  }
509 
510  /* Sanity check: */
511  assert(context != (ldns_sha256_CTX*)0 && data != (sha2_byte*)0);
512 
513  usedspace = (context->bitcount >> 3) % LDNS_SHA256_BLOCK_LENGTH;
514  if (usedspace > 0) {
515  /* Calculate how much free space is available in the buffer */
516  freespace = LDNS_SHA256_BLOCK_LENGTH - usedspace;
517 
518  if (len >= freespace) {
519  /* Fill the buffer completely and process it */
520  MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
521  context->bitcount += freespace << 3;
522  len -= freespace;
523  data += freespace;
524  ldns_sha256_Transform(context, (sha2_word32*)context->buffer);
525  } else {
526  /* The buffer is not yet full */
527  MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
528  context->bitcount += len << 3;
529  /* Clean up: */
530  usedspace = freespace = 0;
531  (void)usedspace;
532  return;
533  }
534  }
535  while (len >= LDNS_SHA256_BLOCK_LENGTH) {
536  /* Process as many complete blocks as we can */
537  ldns_sha256_Transform(context, (sha2_word32*)data);
538  context->bitcount += LDNS_SHA256_BLOCK_LENGTH << 3;
540  data += LDNS_SHA256_BLOCK_LENGTH;
541  }
542  if (len > 0) {
543  /* There's left-overs, so save 'em */
544  MEMCPY_BCOPY(context->buffer, data, len);
545  context->bitcount += len << 3;
546  }
547  /* Clean up: */
548  usedspace = freespace = 0;
549  (void)usedspace;
550 }
551 
552 typedef union _ldns_sha2_buffer_union {
553  uint8_t* theChars;
554  uint64_t* theLongs;
556 
558  sha2_word32 *d = (sha2_word32*)digest;
559  size_t usedspace;
560  ldns_sha2_buffer_union cast_var;
561 
562  /* Sanity check: */
563  assert(context != (ldns_sha256_CTX*)0);
564 
565  /* If no digest buffer is passed, we don't bother doing this: */
566  if (digest != (sha2_byte*)0) {
567  usedspace = (context->bitcount >> 3) % LDNS_SHA256_BLOCK_LENGTH;
568 #if BYTE_ORDER == LITTLE_ENDIAN
569  /* Convert FROM host byte order */
570  REVERSE64(context->bitcount,context->bitcount);
571 #endif
572  if (usedspace > 0) {
573  /* Begin padding with a 1 bit: */
574  context->buffer[usedspace++] = 0x80;
575 
576  if (usedspace <= ldns_sha256_SHORT_BLOCK_LENGTH) {
577  /* Set-up for the last transform: */
578  MEMSET_BZERO(&context->buffer[usedspace], ldns_sha256_SHORT_BLOCK_LENGTH - usedspace);
579  } else {
580  if (usedspace < LDNS_SHA256_BLOCK_LENGTH) {
581  MEMSET_BZERO(&context->buffer[usedspace], LDNS_SHA256_BLOCK_LENGTH - usedspace);
582  }
583  /* Do second-to-last transform: */
584  ldns_sha256_Transform(context, (sha2_word32*)context->buffer);
585 
586  /* And set-up for the last transform: */
588  }
589  } else {
590  /* Set-up for the last transform: */
592 
593  /* Begin padding with a 1 bit: */
594  *context->buffer = 0x80;
595  }
596  /* Set the bit count: */
597  cast_var.theChars = context->buffer;
598  cast_var.theLongs[ldns_sha256_SHORT_BLOCK_LENGTH / 8] = context->bitcount;
599 
600  /* final transform: */
601  ldns_sha256_Transform(context, (sha2_word32*)context->buffer);
602 
603 #if BYTE_ORDER == LITTLE_ENDIAN
604  {
605  /* Convert TO host byte order */
606  int j;
607  for (j = 0; j < 8; j++) {
608  REVERSE32(context->state[j],context->state[j]);
609  *d++ = context->state[j];
610  }
611  }
612 #else
614 #endif
615  }
616 
617  /* Clean up state data: */
618  MEMSET_BZERO(context, sizeof(ldns_sha256_CTX));
619  usedspace = 0;
620  (void)usedspace;
621 }
622 
623 unsigned char *
624 ldns_sha256(const unsigned char *data, unsigned int data_len, unsigned char *digest)
625 {
626  ldns_sha256_CTX ctx;
627  ldns_sha256_init(&ctx);
628  ldns_sha256_update(&ctx, data, data_len);
629  ldns_sha256_final(digest, &ctx);
630  return digest;
631 }
632 
633 /*** SHA-512: *********************************************************/
635  if (context == (ldns_sha512_CTX*)0) {
636  return;
637  }
638  MEMCPY_BCOPY(context->state, sha512_initial_hash_value, LDNS_SHA512_DIGEST_LENGTH);
640  context->bitcount[0] = context->bitcount[1] = 0;
641 }
642 
643 #ifdef SHA2_UNROLL_TRANSFORM
644 
645 /* Unrolled SHA-512 round macros: */
646 #if BYTE_ORDER == LITTLE_ENDIAN
647 
648 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
649  REVERSE64(*data++, W512[j]); \
650  T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
651  K512[j] + W512[j]; \
652  (d) += T1, \
653  (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
654  j++
655 
656 
657 #else /* BYTE_ORDER == LITTLE_ENDIAN */
658 
659 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
660  T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
661  K512[j] + (W512[j] = *data++); \
662  (d) += T1; \
663  (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
664  j++
665 
666 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
667 
668 #define ROUND512(a,b,c,d,e,f,g,h) \
669  s0 = W512[(j+1)&0x0f]; \
670  s0 = sigma0_512(s0); \
671  s1 = W512[(j+14)&0x0f]; \
672  s1 = sigma1_512(s1); \
673  T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
674  (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
675  (d) += T1; \
676  (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
677  j++
678 
679 static void ldns_sha512_Transform(ldns_sha512_CTX* context,
680  const sha2_word64* data) {
681  sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
682  sha2_word64 T1, *W512 = (sha2_word64*)context->buffer;
683  int j;
684 
685  /* initialize registers with the prev. intermediate value */
686  a = context->state[0];
687  b = context->state[1];
688  c = context->state[2];
689  d = context->state[3];
690  e = context->state[4];
691  f = context->state[5];
692  g = context->state[6];
693  h = context->state[7];
694 
695  j = 0;
696  do {
697  ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
698  ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
699  ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
700  ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
701  ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
702  ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
703  ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
704  ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
705  } while (j < 16);
706 
707  /* Now for the remaining rounds up to 79: */
708  do {
709  ROUND512(a,b,c,d,e,f,g,h);
710  ROUND512(h,a,b,c,d,e,f,g);
711  ROUND512(g,h,a,b,c,d,e,f);
712  ROUND512(f,g,h,a,b,c,d,e);
713  ROUND512(e,f,g,h,a,b,c,d);
714  ROUND512(d,e,f,g,h,a,b,c);
715  ROUND512(c,d,e,f,g,h,a,b);
716  ROUND512(b,c,d,e,f,g,h,a);
717  } while (j < 80);
718 
719  /* Compute the current intermediate hash value */
720  context->state[0] += a;
721  context->state[1] += b;
722  context->state[2] += c;
723  context->state[3] += d;
724  context->state[4] += e;
725  context->state[5] += f;
726  context->state[6] += g;
727  context->state[7] += h;
728 
729  /* Clean up */
730  a = b = c = d = e = f = g = h = T1 = 0;
731 }
732 
733 #else /* SHA2_UNROLL_TRANSFORM */
734 
735 static void ldns_sha512_Transform(ldns_sha512_CTX* context,
736  const sha2_word64* data) {
737  sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
738  sha2_word64 T1, T2, *W512 = (sha2_word64*)context->buffer;
739  int j;
740 
741  /* initialize registers with the prev. intermediate value */
742  a = context->state[0];
743  b = context->state[1];
744  c = context->state[2];
745  d = context->state[3];
746  e = context->state[4];
747  f = context->state[5];
748  g = context->state[6];
749  h = context->state[7];
750 
751  j = 0;
752  do {
754  /* Convert TO host byte order */
755  REVERSE64(*data++, W512[j]);
756  /* Apply the SHA-512 compression function to update a..h */
757  T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
758 #else /* BYTE_ORDER == LITTLE_ENDIAN */
759  /* Apply the SHA-512 compression function to update a..h with copy */
760  T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
761 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
762  T2 = Sigma0_512(a) + Maj(a, b, c);
763  h = g;
764  g = f;
765  f = e;
766  e = d + T1;
767  d = c;
768  c = b;
769  b = a;
770  a = T1 + T2;
771 
772  j++;
773  } while (j < 16);
774 
775  do {
776  /* Part of the message block expansion: */
777  s0 = W512[(j+1)&0x0f];
778  s0 = sigma0_512(s0);
779  s1 = W512[(j+14)&0x0f];
780  s1 = sigma1_512(s1);
781 
782  /* Apply the SHA-512 compression function to update a..h */
783  T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
784  (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
785  T2 = Sigma0_512(a) + Maj(a, b, c);
786  h = g;
787  g = f;
788  f = e;
789  e = d + T1;
790  d = c;
791  c = b;
792  b = a;
793  a = T1 + T2;
794 
795  j++;
796  } while (j < 80);
797 
798  /* Compute the current intermediate hash value */
799  context->state[0] += a;
800  context->state[1] += b;
801  context->state[2] += c;
802  context->state[3] += d;
803  context->state[4] += e;
804  context->state[5] += f;
805  context->state[6] += g;
806  context->state[7] += h;
807 
808  /* Clean up */
809  a = b = c = d = e = f = g = h = T1 = T2 = 0;
810  (void)a;
811 }
812 
813 #endif /* SHA2_UNROLL_TRANSFORM */
814 
815 void ldns_sha512_update(ldns_sha512_CTX* context, const sha2_byte *data, size_t len) {
816  size_t freespace, usedspace;
817 
818  if (len == 0) {
819  /* Calling with no data is valid - we do nothing */
820  return;
821  }
822 
823  /* Sanity check: */
824  assert(context != (ldns_sha512_CTX*)0 && data != (sha2_byte*)0);
825 
826  usedspace = (context->bitcount[0] >> 3) % LDNS_SHA512_BLOCK_LENGTH;
827  if (usedspace > 0) {
828  /* Calculate how much free space is available in the buffer */
829  freespace = LDNS_SHA512_BLOCK_LENGTH - usedspace;
830 
831  if (len >= freespace) {
832  /* Fill the buffer completely and process it */
833  MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
834  ADDINC128(context->bitcount, freespace << 3);
835  len -= freespace;
836  data += freespace;
837  ldns_sha512_Transform(context, (sha2_word64*)context->buffer);
838  } else {
839  /* The buffer is not yet full */
840  MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
841  ADDINC128(context->bitcount, len << 3);
842  /* Clean up: */
843  usedspace = freespace = 0;
844  (void)usedspace;
845  return;
846  }
847  }
848  while (len >= LDNS_SHA512_BLOCK_LENGTH) {
849  /* Process as many complete blocks as we can */
850  ldns_sha512_Transform(context, (sha2_word64*)data);
853  data += LDNS_SHA512_BLOCK_LENGTH;
854  }
855  if (len > 0) {
856  /* There's left-overs, so save 'em */
857  MEMCPY_BCOPY(context->buffer, data, len);
858  ADDINC128(context->bitcount, len << 3);
859  }
860  /* Clean up: */
861  usedspace = freespace = 0;
862  (void)usedspace;
863 }
864 
865 static void ldns_sha512_Last(ldns_sha512_CTX* context) {
866  size_t usedspace;
867  ldns_sha2_buffer_union cast_var;
868 
869  usedspace = (context->bitcount[0] >> 3) % LDNS_SHA512_BLOCK_LENGTH;
870 #if BYTE_ORDER == LITTLE_ENDIAN
871  /* Convert FROM host byte order */
872  REVERSE64(context->bitcount[0],context->bitcount[0]);
873  REVERSE64(context->bitcount[1],context->bitcount[1]);
874 #endif
875  if (usedspace > 0) {
876  /* Begin padding with a 1 bit: */
877  context->buffer[usedspace++] = 0x80;
878 
879  if (usedspace <= ldns_sha512_SHORT_BLOCK_LENGTH) {
880  /* Set-up for the last transform: */
881  MEMSET_BZERO(&context->buffer[usedspace], ldns_sha512_SHORT_BLOCK_LENGTH - usedspace);
882  } else {
883  if (usedspace < LDNS_SHA512_BLOCK_LENGTH) {
884  MEMSET_BZERO(&context->buffer[usedspace], LDNS_SHA512_BLOCK_LENGTH - usedspace);
885  }
886  /* Do second-to-last transform: */
887  ldns_sha512_Transform(context, (sha2_word64*)context->buffer);
888 
889  /* And set-up for the last transform: */
891  }
892  } else {
893  /* Prepare for final transform: */
895 
896  /* Begin padding with a 1 bit: */
897  *context->buffer = 0x80;
898  }
899  /* Store the length of input data (in bits): */
900  cast_var.theChars = context->buffer;
901  cast_var.theLongs[ldns_sha512_SHORT_BLOCK_LENGTH / 8] = context->bitcount[1];
902  cast_var.theLongs[ldns_sha512_SHORT_BLOCK_LENGTH / 8 + 1] = context->bitcount[0];
903 
904  /* final transform: */
905  ldns_sha512_Transform(context, (sha2_word64*)context->buffer);
906 }
907 
909  sha2_word64 *d = (sha2_word64*)digest;
910 
911  /* Sanity check: */
912  assert(context != (ldns_sha512_CTX*)0);
913 
914  /* If no digest buffer is passed, we don't bother doing this: */
915  if (digest != (sha2_byte*)0) {
916  ldns_sha512_Last(context);
917 
918  /* Save the hash data for output: */
919 #if BYTE_ORDER == LITTLE_ENDIAN
920  {
921  /* Convert TO host byte order */
922  int j;
923  for (j = 0; j < 8; j++) {
924  REVERSE64(context->state[j],context->state[j]);
925  *d++ = context->state[j];
926  }
927  }
928 #else
930 #endif
931  }
932 
933  /* Zero out state data */
934  MEMSET_BZERO(context, sizeof(ldns_sha512_CTX));
935 }
936 
937 unsigned char *
938 ldns_sha512(const unsigned char *data, unsigned int data_len, unsigned char *digest)
939 {
940  ldns_sha512_CTX ctx;
941  ldns_sha512_init(&ctx);
942  ldns_sha512_update(&ctx, data, data_len);
943  ldns_sha512_final(digest, &ctx);
944  return digest;
945 }
946 
947 /*** SHA-384: *********************************************************/
949  if (context == (ldns_sha384_CTX*)0) {
950  return;
951  }
952  MEMCPY_BCOPY(context->state, sha384_initial_hash_value, LDNS_SHA512_DIGEST_LENGTH);
954  context->bitcount[0] = context->bitcount[1] = 0;
955 }
956 
957 void ldns_sha384_update(ldns_sha384_CTX* context, const sha2_byte* data, size_t len) {
958  ldns_sha512_update((ldns_sha512_CTX*)context, data, len);
959 }
960 
962  sha2_word64 *d = (sha2_word64*)digest;
963 
964  /* Sanity check: */
965  assert(context != (ldns_sha384_CTX*)0);
966 
967  /* If no digest buffer is passed, we don't bother doing this: */
968  if (digest != (sha2_byte*)0) {
969  ldns_sha512_Last((ldns_sha512_CTX*)context);
970 
971  /* Save the hash data for output: */
972 #if BYTE_ORDER == LITTLE_ENDIAN
973  {
974  /* Convert TO host byte order */
975  int j;
976  for (j = 0; j < 6; j++) {
977  REVERSE64(context->state[j],context->state[j]);
978  *d++ = context->state[j];
979  }
980  }
981 #else
983 #endif
984  }
985 
986  /* Zero out state data */
987  MEMSET_BZERO(context, sizeof(ldns_sha384_CTX));
988 }
989 
990 unsigned char *
991 ldns_sha384(const unsigned char *data, unsigned int data_len, unsigned char *digest)
992 {
993  ldns_sha384_CTX ctx;
994  ldns_sha384_init(&ctx);
995  ldns_sha384_update(&ctx, data, data_len);
996  ldns_sha384_final(digest, &ctx);
997  return digest;
998 }
uint64_t state[8]
Definition: sha2.h:81
#define MEMCPY_BCOPY(d, s, l)
Definition: sha2.c:173
#define BYTE_ORDER
Definition: config.h:630
#define LDNS_SHA256_DIGEST_LENGTH
Definition: sha2.h:63
#define LDNS_SHA256_BLOCK_LENGTH
Definition: sha2.h:62
uint8_t * theChars
Definition: sha2.c:553
#define Sigma1_256(x)
Definition: sha2.c:203
#define sigma1_512(x)
Definition: sha2.c:211
#define sigma0_256(x)
Definition: sha2.c:204
uint8_t sha2_byte
Definition: sha2.c:101
#define Sigma1_512(x)
Definition: sha2.c:209
#define ldns_sha512_SHORT_BLOCK_LENGTH
Definition: sha2.c:113
#define Maj(x, y, z)
Definition: sha2.c:199
#define LDNS_SHA512_DIGEST_LENGTH
Definition: sha2.h:69
void ldns_sha512_final(sha2_byte digest[64], ldns_sha512_CTX *context)
Definition: sha2.c:908
void ldns_sha256_final(sha2_byte digest[32], ldns_sha256_CTX *context)
Definition: sha2.c:557
uint64_t * theLongs
Definition: sha2.c:554
#define ADDINC128(w, n)
Definition: sha2.c:142
union _ldns_sha2_buffer_union ldns_sha2_buffer_union
unsigned char * ldns_sha512(const unsigned char *data, unsigned int data_len, unsigned char *digest)
Convenience function to digest a fixed block of data at once.
Definition: sha2.c:938
void ldns_sha256_init(ldns_sha256_CTX *context)
Definition: sha2.c:315
void ldns_sha512_init(ldns_sha512_CTX *context)
Definition: sha2.c:634
uint8_t buffer[64]
Definition: sha2.h:78
#define LDNS_SHA384_DIGEST_LENGTH
Definition: sha2.h:66
#define Ch(x, y, z)
Definition: sha2.c:198
unsigned char * ldns_sha256(const unsigned char *data, unsigned int data_len, unsigned char *digest)
Convenience function to digest a fixed block of data at once.
Definition: sha2.c:624
uint64_t sha2_word64
Definition: sha2.c:106
#define LITTLE_ENDIAN
Definition: config.h:619
void ldns_sha384_update(ldns_sha384_CTX *context, const sha2_byte *data, size_t len)
Definition: sha2.c:957
uint32_t sha2_word32
Definition: sha2.c:102
void ldns_sha256_update(ldns_sha256_CTX *context, const sha2_byte *data, size_t len)
Definition: sha2.c:502
#define LDNS_SHA512_BLOCK_LENGTH
Definition: sha2.h:68
#define MEMSET_BZERO(p, l)
Definition: sha2.c:172
#define Sigma0_512(x)
Definition: sha2.c:208
uint64_t bitcount[2]
Definition: sha2.h:82
#define sigma1_256(x)
Definition: sha2.c:205
#define Sigma0_256(x)
Definition: sha2.c:202
uint32_t state[8]
Definition: sha2.h:76
uint8_t buffer[128]
Definition: sha2.h:83
#define ldns_sha256_SHORT_BLOCK_LENGTH
Definition: sha2.c:111
void ldns_sha512_update(ldns_sha512_CTX *context, const sha2_byte *data, size_t len)
Definition: sha2.c:815
#define LDNS_SHA384_BLOCK_LENGTH
Definition: sha2.h:65
unsigned char * ldns_sha384(const unsigned char *data, unsigned int data_len, unsigned char *digest)
Convenience function to digest a fixed block of data at once.
Definition: sha2.c:991
uint64_t bitcount
Definition: sha2.h:77
#define sigma0_512(x)
Definition: sha2.c:210
void ldns_sha384_final(sha2_byte digest[48], ldns_sha384_CTX *context)
Definition: sha2.c:961
void ldns_sha384_init(ldns_sha384_CTX *context)
Definition: sha2.c:948