2
---------------------------------------------------------------------------
3
Copyright (c) 2002, Dr Brian Gladman < >, Worcester, UK.
8
The free distribution and use of this software in both source and binary
9
form is allowed (with or without changes) provided that:
11
1. distributions of this source code include the above copyright
12
notice, this list of conditions and the following disclaimer;
14
2. distributions in binary form include the above copyright
15
notice, this list of conditions and the following disclaimer
16
in the documentation and/or other associated materials;
18
3. the copyright holder's name is not used to endorse products
19
built using this software without specific written permission.
21
ALTERNATIVELY, provided that this notice is retained in full, this product
22
may be distributed under the terms of the GNU General Public License (GPL),
23
in which case the provisions of the GPL apply INSTEAD OF those given above.
27
This software is provided 'as is' with no explicit or implied warranties
28
in respect of its properties, including, but not limited to, correctness
29
and/or fitness for purpose.
30
---------------------------------------------------------------------------
31
Issue Date: 26/08/2003
33
This is a byte oriented version of SHA2 that operates on arrays of bytes
34
stored in memory. This code implements sha256, sha384 and sha512 but the
35
latter two functions rely on efficient 64-bit integer operations that
36
may not be very efficient on 32-bit machines
38
The sha256 functions use a type 'sha256_ctx' to hold details of the
39
current hash state and uses the following three calls:
41
void sha256_begin(sha256_ctx ctx[1])
42
void sha256_hash(const unsigned char data[],
43
unsigned long len, sha256_ctx ctx[1])
44
void sha256_end(unsigned char hval[], sha256_ctx ctx[1])
46
The first subroutine initialises a hash computation by setting up the
47
context in the sha256_ctx context. The second subroutine hashes 8-bit
48
bytes from array data[] into the hash state withinh sha256_ctx context,
49
the number of bytes to be hashed being given by the the unsigned long
50
integer len. The third subroutine completes the hash calculation and
51
places the resulting digest value in the array of 8-bit bytes hval[].
53
The sha384 and sha512 functions are similar and use the interfaces:
55
void sha384_begin(sha384_ctx ctx[1]);
56
void sha384_hash(const unsigned char data[],
57
unsigned long len, sha384_ctx ctx[1]);
58
void sha384_end(unsigned char hval[], sha384_ctx ctx[1]);
60
void sha512_begin(sha512_ctx ctx[1]);
61
void sha512_hash(const unsigned char data[],
62
unsigned long len, sha512_ctx ctx[1]);
63
void sha512_end(unsigned char hval[], sha512_ctx ctx[1]);
65
In addition there is a function sha2 that can be used to call all these
66
functions using a call with a hash length parameter as follows:
68
int sha2_begin(unsigned long len, sha2_ctx ctx[1]);
69
void sha2_hash(const unsigned char data[],
70
unsigned long len, sha2_ctx ctx[1]);
71
void sha2_end(unsigned char hval[], sha2_ctx ctx[1]);
73
My thanks to Erik Andersen <andersen@codepoet.org> for testing this code
74
on big-endian systems and for his assistance with corrections
77
/* define the hash functions that you need */
79
#define SHA_2 /* for dynamic hash length */
84
#include <string.h> /* for memcpy() etc. */
85
#include <stdlib.h> /* for _lrotr with VC++ */
90
/* BYTE ORDER IN 32-BIT WORDS
92
To obtain the highest speed on processors with 32-bit words, this code
93
needs to determine the byte order of the target machine. The following
94
block of code is an attempt to capture the most obvious ways in which
95
various environemnts define byte order. It may well fail, in which case
96
the definitions will need to be set by editing at the points marked
97
**** EDIT HERE IF NECESSARY **** below. My thanks to Peter Gutmann for
98
some of these defines (from cryptlib).
101
#define BRG_LITTLE_ENDIAN 1234 /* byte 0 is least significant (i386) */
102
#define BRG_BIG_ENDIAN 4321 /* byte 0 is most significant (mc68k) */
104
#ifdef __BIG_ENDIAN__
105
#define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN
107
#define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN
111
#pragma intrinsic(memcpy)
114
#define rotr32(x,n) (((x) >> n) | ((x) << (32 - n)))
116
#if !defined(bswap_32)
117
#define bswap_32(x) irr::os::Byteswap::byteswap(x)
120
#if (PLATFORM_BYTE_ORDER == BRG_LITTLE_ENDIAN)
126
#if defined(SHA_2) || defined(SHA_256)
128
#define SHA256_MASK (SHA256_BLOCK_SIZE - 1)
130
#if defined(SWAP_BYTES)
131
#define bsw_32(p,n) { int _i = (n); while(_i--) p[_i] = bswap_32(p[_i]); }
136
/* SHA256 mixing function definitions */
140
#define ch(x,y,z) (((x) & (y)) ^ (~(x) & (z)))
141
#define maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
143
#else /* Thanks to Rich Schroeppel and Colin Plumb for the following */
145
#define ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
146
#define maj(x,y,z) (((x) & (y)) | ((z) & ((x) ^ (y))))
150
#define s256_0(x) (rotr32((x), 2) ^ rotr32((x), 13) ^ rotr32((x), 22))
151
#define s256_1(x) (rotr32((x), 6) ^ rotr32((x), 11) ^ rotr32((x), 25))
152
#define g256_0(x) (rotr32((x), 7) ^ rotr32((x), 18) ^ ((x) >> 3))
153
#define g256_1(x) (rotr32((x), 17) ^ rotr32((x), 19) ^ ((x) >> 10))
155
/* rotated SHA256 round definition. Rather than swapping variables as in */
156
/* FIPS-180, different variables are 'rotated' on each round, returning */
157
/* to their starting positions every eight rounds */
159
#define h2(i) p[i & 15] += \
160
g256_1(p[(i + 14) & 15]) + p[(i + 9) & 15] + g256_0(p[(i + 1) & 15])
162
#define h2_cycle(i,j) \
163
v[(7 - i) & 7] += (j ? h2(i) : p[i & 15]) + k256[i + j] \
164
+ s256_1(v[(4 - i) & 7]) + ch(v[(4 - i) & 7], v[(5 - i) & 7], v[(6 - i) & 7]); \
165
v[(3 - i) & 7] += v[(7 - i) & 7]; \
166
v[(7 - i) & 7] += s256_0(v[(0 - i) & 7]) + maj(v[(0 - i) & 7], v[(1 - i) & 7], v[(2 - i) & 7])
168
/* SHA256 mixing data */
170
const sha2_32t k256[64] =
171
{ n_u32(428a2f98), n_u32(71374491), n_u32(b5c0fbcf), n_u32(e9b5dba5),
172
n_u32(3956c25b), n_u32(59f111f1), n_u32(923f82a4), n_u32(ab1c5ed5),
173
n_u32(d807aa98), n_u32(12835b01), n_u32(243185be), n_u32(550c7dc3),
174
n_u32(72be5d74), n_u32(80deb1fe), n_u32(9bdc06a7), n_u32(c19bf174),
175
n_u32(e49b69c1), n_u32(efbe4786), n_u32(0fc19dc6), n_u32(240ca1cc),
176
n_u32(2de92c6f), n_u32(4a7484aa), n_u32(5cb0a9dc), n_u32(76f988da),
177
n_u32(983e5152), n_u32(a831c66d), n_u32(b00327c8), n_u32(bf597fc7),
178
n_u32(c6e00bf3), n_u32(d5a79147), n_u32(06ca6351), n_u32(14292967),
179
n_u32(27b70a85), n_u32(2e1b2138), n_u32(4d2c6dfc), n_u32(53380d13),
180
n_u32(650a7354), n_u32(766a0abb), n_u32(81c2c92e), n_u32(92722c85),
181
n_u32(a2bfe8a1), n_u32(a81a664b), n_u32(c24b8b70), n_u32(c76c51a3),
182
n_u32(d192e819), n_u32(d6990624), n_u32(f40e3585), n_u32(106aa070),
183
n_u32(19a4c116), n_u32(1e376c08), n_u32(2748774c), n_u32(34b0bcb5),
184
n_u32(391c0cb3), n_u32(4ed8aa4a), n_u32(5b9cca4f), n_u32(682e6ff3),
185
n_u32(748f82ee), n_u32(78a5636f), n_u32(84c87814), n_u32(8cc70208),
186
n_u32(90befffa), n_u32(a4506ceb), n_u32(bef9a3f7), n_u32(c67178f2),
189
/* SHA256 initialisation data */
191
const sha2_32t i256[8] =
193
n_u32(6a09e667), n_u32(bb67ae85), n_u32(3c6ef372), n_u32(a54ff53a),
194
n_u32(510e527f), n_u32(9b05688c), n_u32(1f83d9ab), n_u32(5be0cd19)
197
sha2_void sha256_begin(sha256_ctx ctx[1])
199
ctx->count[0] = ctx->count[1] = 0;
200
memcpy(ctx->hash, i256, 8 * sizeof(sha2_32t));
203
/* Compile 64 bytes of hash data into SHA256 digest value */
204
/* NOTE: this routine assumes that the byte order in the */
205
/* ctx->wbuf[] at this point is in such an order that low */
206
/* address bytes in the ORIGINAL byte stream placed in this */
207
/* buffer will now go to the high end of words on BOTH big */
208
/* and little endian systems */
210
sha2_void sha256_compile(sha256_ctx ctx[1])
211
{ sha2_32t v[8], j, *p = ctx->wbuf;
213
memcpy(v, ctx->hash, 8 * sizeof(sha2_32t));
215
for(j = 0; j < 64; j += 16)
217
h2_cycle( 0, j); h2_cycle( 1, j); h2_cycle( 2, j); h2_cycle( 3, j);
218
h2_cycle( 4, j); h2_cycle( 5, j); h2_cycle( 6, j); h2_cycle( 7, j);
219
h2_cycle( 8, j); h2_cycle( 9, j); h2_cycle(10, j); h2_cycle(11, j);
220
h2_cycle(12, j); h2_cycle(13, j); h2_cycle(14, j); h2_cycle(15, j);
223
ctx->hash[0] += v[0]; ctx->hash[1] += v[1]; ctx->hash[2] += v[2]; ctx->hash[3] += v[3];
224
ctx->hash[4] += v[4]; ctx->hash[5] += v[5]; ctx->hash[6] += v[6]; ctx->hash[7] += v[7];
227
/* SHA256 hash data in an array of bytes into hash buffer */
228
/* and call the hash_compile function as required. */
230
sha2_void sha256_hash(const unsigned char data[], unsigned long len, sha256_ctx ctx[1])
231
{ sha2_32t pos = (sha2_32t)(ctx->count[0] & SHA256_MASK),
232
space = SHA256_BLOCK_SIZE - pos;
233
const unsigned char *sp = data;
235
if((ctx->count[0] += len) < len)
238
while(len >= space) /* tranfer whole blocks while possible */
240
memcpy(((unsigned char*)ctx->wbuf) + pos, sp, space);
241
sp += space; len -= space; space = SHA256_BLOCK_SIZE; pos = 0;
242
bsw_32(ctx->wbuf, SHA256_BLOCK_SIZE >> 2)
246
memcpy(((unsigned char*)ctx->wbuf) + pos, sp, len);
249
/* SHA256 Final padding and digest calculation */
251
static sha2_32t m1[4] =
253
n_u32(00000000), n_u32(ff000000), n_u32(ffff0000), n_u32(ffffff00)
256
static sha2_32t b1[4] =
258
n_u32(80000000), n_u32(00800000), n_u32(00008000), n_u32(00000080)
261
sha2_void sha256_end(unsigned char hval[], sha256_ctx ctx[1])
262
{ sha2_32t i = (sha2_32t)(ctx->count[0] & SHA256_MASK);
264
bsw_32(ctx->wbuf, (i + 3) >> 2)
265
/* bytes in the buffer are now in an order in which references */
266
/* to 32-bit words will put bytes with lower addresses into the */
267
/* top of 32 bit words on BOTH big and little endian machines */
269
/* we now need to mask valid bytes and add the padding which is */
270
/* a single 1 bit and as many zero bits as necessary. */
271
ctx->wbuf[i >> 2] = (ctx->wbuf[i >> 2] & m1[i & 3]) | b1[i & 3];
273
/* we need 9 or more empty positions, one for the padding byte */
274
/* (above) and eight for the length count. If there is not */
275
/* enough space pad and empty the buffer */
276
if(i > SHA256_BLOCK_SIZE - 9)
278
if(i < 60) ctx->wbuf[15] = 0;
282
else /* compute a word index for the empty buffer positions */
285
while(i < 14) /* and zero pad all but last two positions */
288
/* the following 32-bit length fields are assembled in the */
289
/* wrong byte order on little endian machines but this is */
290
/* corrected later since they are only ever used as 32-bit */
293
ctx->wbuf[14] = (ctx->count[1] << 3) | (ctx->count[0] >> 29);
294
ctx->wbuf[15] = ctx->count[0] << 3;
298
/* extract the hash value as bytes in case the hash buffer is */
299
/* mislaigned for 32-bit words */
300
for(i = 0; i < SHA256_DIGEST_SIZE; ++i)
301
hval[i] = (unsigned char)(ctx->hash[i >> 2] >> (8 * (~i & 3)));
304
sha2_void sha256(unsigned char hval[], const unsigned char data[], unsigned long len)
307
sha256_begin(cx); sha256_hash(data, len, cx); sha256_end(hval, cx);
312
#if defined(SHA_2) || defined(SHA_384) || defined(SHA_512)
314
#define SHA512_MASK (SHA512_BLOCK_SIZE - 1)
316
#define rotr64(x,n) (((x) >> n) | ((x) << (64 - n)))
318
#if !defined(bswap_64)
319
#define bswap_64(x) ((((sha2_64t)(bswap_32((sha2_32t)(x)))) << 32) | (bswap_32((sha2_32t)((x) >> 32))))
322
#if defined(SWAP_BYTES)
323
#define bsw_64(p,n) { int _i = (n); while(_i--) p[_i] = bswap_64(p[_i]); }
328
/* SHA512 mixing function definitions */
330
#define s512_0(x) (rotr64((x), 28) ^ rotr64((x), 34) ^ rotr64((x), 39))
331
#define s512_1(x) (rotr64((x), 14) ^ rotr64((x), 18) ^ rotr64((x), 41))
332
#define g512_0(x) (rotr64((x), 1) ^ rotr64((x), 8) ^ ((x) >> 7))
333
#define g512_1(x) (rotr64((x), 19) ^ rotr64((x), 61) ^ ((x) >> 6))
335
/* rotated SHA512 round definition. Rather than swapping variables as in */
336
/* FIPS-180, different variables are 'rotated' on each round, returning */
337
/* to their starting positions every eight rounds */
339
#define h5(i) ctx->wbuf[i & 15] += \
340
g512_1(ctx->wbuf[(i + 14) & 15]) + ctx->wbuf[(i + 9) & 15] + g512_0(ctx->wbuf[(i + 1) & 15])
342
#define h5_cycle(i,j) \
343
v[(7 - i) & 7] += (j ? h5(i) : ctx->wbuf[i & 15]) + k512[i + j] \
344
+ s512_1(v[(4 - i) & 7]) + ch(v[(4 - i) & 7], v[(5 - i) & 7], v[(6 - i) & 7]); \
345
v[(3 - i) & 7] += v[(7 - i) & 7]; \
346
v[(7 - i) & 7] += s512_0(v[(0 - i) & 7]) + maj(v[(0 - i) & 7], v[(1 - i) & 7], v[(2 - i) & 7])
348
/* SHA384/SHA512 mixing data */
350
const sha2_64t k512[80] =
352
n_u64(428a2f98d728ae22), n_u64(7137449123ef65cd),
353
n_u64(b5c0fbcfec4d3b2f), n_u64(e9b5dba58189dbbc),
354
n_u64(3956c25bf348b538), n_u64(59f111f1b605d019),
355
n_u64(923f82a4af194f9b), n_u64(ab1c5ed5da6d8118),
356
n_u64(d807aa98a3030242), n_u64(12835b0145706fbe),
357
n_u64(243185be4ee4b28c), n_u64(550c7dc3d5ffb4e2),
358
n_u64(72be5d74f27b896f), n_u64(80deb1fe3b1696b1),
359
n_u64(9bdc06a725c71235), n_u64(c19bf174cf692694),
360
n_u64(e49b69c19ef14ad2), n_u64(efbe4786384f25e3),
361
n_u64(0fc19dc68b8cd5b5), n_u64(240ca1cc77ac9c65),
362
n_u64(2de92c6f592b0275), n_u64(4a7484aa6ea6e483),
363
n_u64(5cb0a9dcbd41fbd4), n_u64(76f988da831153b5),
364
n_u64(983e5152ee66dfab), n_u64(a831c66d2db43210),
365
n_u64(b00327c898fb213f), n_u64(bf597fc7beef0ee4),
366
n_u64(c6e00bf33da88fc2), n_u64(d5a79147930aa725),
367
n_u64(06ca6351e003826f), n_u64(142929670a0e6e70),
368
n_u64(27b70a8546d22ffc), n_u64(2e1b21385c26c926),
369
n_u64(4d2c6dfc5ac42aed), n_u64(53380d139d95b3df),
370
n_u64(650a73548baf63de), n_u64(766a0abb3c77b2a8),
371
n_u64(81c2c92e47edaee6), n_u64(92722c851482353b),
372
n_u64(a2bfe8a14cf10364), n_u64(a81a664bbc423001),
373
n_u64(c24b8b70d0f89791), n_u64(c76c51a30654be30),
374
n_u64(d192e819d6ef5218), n_u64(d69906245565a910),
375
n_u64(f40e35855771202a), n_u64(106aa07032bbd1b8),
376
n_u64(19a4c116b8d2d0c8), n_u64(1e376c085141ab53),
377
n_u64(2748774cdf8eeb99), n_u64(34b0bcb5e19b48a8),
378
n_u64(391c0cb3c5c95a63), n_u64(4ed8aa4ae3418acb),
379
n_u64(5b9cca4f7763e373), n_u64(682e6ff3d6b2b8a3),
380
n_u64(748f82ee5defb2fc), n_u64(78a5636f43172f60),
381
n_u64(84c87814a1f0ab72), n_u64(8cc702081a6439ec),
382
n_u64(90befffa23631e28), n_u64(a4506cebde82bde9),
383
n_u64(bef9a3f7b2c67915), n_u64(c67178f2e372532b),
384
n_u64(ca273eceea26619c), n_u64(d186b8c721c0c207),
385
n_u64(eada7dd6cde0eb1e), n_u64(f57d4f7fee6ed178),
386
n_u64(06f067aa72176fba), n_u64(0a637dc5a2c898a6),
387
n_u64(113f9804bef90dae), n_u64(1b710b35131c471b),
388
n_u64(28db77f523047d84), n_u64(32caab7b40c72493),
389
n_u64(3c9ebe0a15c9bebc), n_u64(431d67c49c100d4c),
390
n_u64(4cc5d4becb3e42b6), n_u64(597f299cfc657e2a),
391
n_u64(5fcb6fab3ad6faec), n_u64(6c44198c4a475817)
394
/* Compile 64 bytes of hash data into SHA384/SHA512 digest value */
396
sha2_void sha512_compile(sha512_ctx ctx[1])
400
memcpy(v, ctx->hash, 8 * sizeof(sha2_64t));
402
for(j = 0; j < 80; j += 16)
404
h5_cycle( 0, j); h5_cycle( 1, j); h5_cycle( 2, j); h5_cycle( 3, j);
405
h5_cycle( 4, j); h5_cycle( 5, j); h5_cycle( 6, j); h5_cycle( 7, j);
406
h5_cycle( 8, j); h5_cycle( 9, j); h5_cycle(10, j); h5_cycle(11, j);
407
h5_cycle(12, j); h5_cycle(13, j); h5_cycle(14, j); h5_cycle(15, j);
410
ctx->hash[0] += v[0]; ctx->hash[1] += v[1]; ctx->hash[2] += v[2]; ctx->hash[3] += v[3];
411
ctx->hash[4] += v[4]; ctx->hash[5] += v[5]; ctx->hash[6] += v[6]; ctx->hash[7] += v[7];
414
/* Compile 128 bytes of hash data into SHA256 digest value */
415
/* NOTE: this routine assumes that the byte order in the */
416
/* ctx->wbuf[] at this point is in such an order that low */
417
/* address bytes in the ORIGINAL byte stream placed in this */
418
/* buffer will now go to the high end of words on BOTH big */
419
/* and little endian systems */
421
sha2_void sha512_hash(const unsigned char data[], unsigned long len, sha512_ctx ctx[1])
422
{ sha2_32t pos = (sha2_32t)(ctx->count[0] & SHA512_MASK),
423
space = SHA512_BLOCK_SIZE - pos;
424
const unsigned char *sp = data;
426
if((ctx->count[0] += len) < len)
429
while(len >= space) /* tranfer whole blocks while possible */
431
memcpy(((unsigned char*)ctx->wbuf) + pos, sp, space);
432
sp += space; len -= space; space = SHA512_BLOCK_SIZE; pos = 0;
433
bsw_64(ctx->wbuf, SHA512_BLOCK_SIZE >> 3);
437
memcpy(((unsigned char*)ctx->wbuf) + pos, sp, len);
440
/* SHA384/512 Final padding and digest calculation */
442
static sha2_64t m2[8] =
444
n_u64(0000000000000000), n_u64(ff00000000000000),
445
n_u64(ffff000000000000), n_u64(ffffff0000000000),
446
n_u64(ffffffff00000000), n_u64(ffffffffff000000),
447
n_u64(ffffffffffff0000), n_u64(ffffffffffffff00)
450
static sha2_64t b2[8] =
452
n_u64(8000000000000000), n_u64(0080000000000000),
453
n_u64(0000800000000000), n_u64(0000008000000000),
454
n_u64(0000000080000000), n_u64(0000000000800000),
455
n_u64(0000000000008000), n_u64(0000000000000080)
458
static void sha_end(unsigned char hval[], sha512_ctx ctx[1], const unsigned int hlen)
459
{ sha2_32t i = (sha2_32t)(ctx->count[0] & SHA512_MASK);
461
bsw_64(ctx->wbuf, (i + 7) >> 3);
463
/* bytes in the buffer are now in an order in which references */
464
/* to 64-bit words will put bytes with lower addresses into the */
465
/* top of 64 bit words on BOTH big and little endian machines */
467
/* we now need to mask valid bytes and add the padding which is */
468
/* a single 1 bit and as many zero bits as necessary. */
469
ctx->wbuf[i >> 3] = (ctx->wbuf[i >> 3] & m2[i & 7]) | b2[i & 7];
471
/* we need 17 or more empty byte positions, one for the padding */
472
/* byte (above) and sixteen for the length count. If there is */
473
/* not enough space pad and empty the buffer */
474
if(i > SHA512_BLOCK_SIZE - 17)
476
if(i < 120) ctx->wbuf[15] = 0;
486
/* the following 64-bit length fields are assembled in the */
487
/* wrong byte order on little endian machines but this is */
488
/* corrected later since they are only ever used as 64-bit */
491
ctx->wbuf[14] = (ctx->count[1] << 3) | (ctx->count[0] >> 61);
492
ctx->wbuf[15] = ctx->count[0] << 3;
496
/* extract the hash value as bytes in case the hash buffer is */
497
/* misaligned for 32-bit words */
498
for(i = 0; i < hlen; ++i)
499
hval[i] = (unsigned char)(ctx->hash[i >> 3] >> (8 * (~i & 7)));
504
#if defined(SHA_2) || defined(SHA_384)
506
/* SHA384 initialisation data */
508
const sha2_64t i384[80] =
510
n_u64(cbbb9d5dc1059ed8), n_u64(629a292a367cd507),
511
n_u64(9159015a3070dd17), n_u64(152fecd8f70e5939),
512
n_u64(67332667ffc00b31), n_u64(8eb44a8768581511),
513
n_u64(db0c2e0d64f98fa7), n_u64(47b5481dbefa4fa4)
516
sha2_void sha384_begin(sha384_ctx ctx[1])
518
ctx->count[0] = ctx->count[1] = 0;
519
memcpy(ctx->hash, i384, 8 * sizeof(sha2_64t));
522
sha2_void sha384_end(unsigned char hval[], sha384_ctx ctx[1])
524
sha_end(hval, ctx, SHA384_DIGEST_SIZE);
527
sha2_void sha384(unsigned char hval[], const unsigned char data[], unsigned long len)
530
sha384_begin(cx); sha384_hash(data, len, cx); sha384_end(hval, cx);
535
#if defined(SHA_2) || defined(SHA_512)
537
/* SHA512 initialisation data */
539
const sha2_64t i512[80] =
541
n_u64(6a09e667f3bcc908), n_u64(bb67ae8584caa73b),
542
n_u64(3c6ef372fe94f82b), n_u64(a54ff53a5f1d36f1),
543
n_u64(510e527fade682d1), n_u64(9b05688c2b3e6c1f),
544
n_u64(1f83d9abfb41bd6b), n_u64(5be0cd19137e2179)
547
sha2_void sha512_begin(sha512_ctx ctx[1])
549
ctx->count[0] = ctx->count[1] = 0;
550
memcpy(ctx->hash, i512, 8 * sizeof(sha2_64t));
553
sha2_void sha512_end(unsigned char hval[], sha512_ctx ctx[1])
555
sha_end(hval, ctx, SHA512_DIGEST_SIZE);
558
sha2_void sha512(unsigned char hval[], const unsigned char data[], unsigned long len)
561
sha512_begin(cx); sha512_hash(data, len, cx); sha512_end(hval, cx);
568
#define CTX_256(x) ((x)->uu->ctx256)
569
#define CTX_384(x) ((x)->uu->ctx512)
570
#define CTX_512(x) ((x)->uu->ctx512)
572
/* SHA2 initialisation */
574
sha2_int sha2_begin(unsigned long len, sha2_ctx ctx[1])
575
{ unsigned long l = len;
578
case 256: l = len >> 3;
579
case 32: CTX_256(ctx)->count[0] = CTX_256(ctx)->count[1] = 0;
580
memcpy(CTX_256(ctx)->hash, i256, 32); break;
581
case 384: l = len >> 3;
582
case 48: CTX_384(ctx)->count[0] = CTX_384(ctx)->count[1] = 0;
583
memcpy(CTX_384(ctx)->hash, i384, 64); break;
584
case 512: l = len >> 3;
585
case 64: CTX_512(ctx)->count[0] = CTX_512(ctx)->count[1] = 0;
586
memcpy(CTX_512(ctx)->hash, i512, 64); break;
587
default: return SHA2_BAD;
590
ctx->sha2_len = l; return SHA2_GOOD;
593
sha2_void sha2_hash(const unsigned char data[], unsigned long len, sha2_ctx ctx[1])
595
switch(ctx->sha2_len)
597
case 32: sha256_hash(data, len, CTX_256(ctx)); return;
598
case 48: sha384_hash(data, len, CTX_384(ctx)); return;
599
case 64: sha512_hash(data, len, CTX_512(ctx)); return;
603
sha2_void sha2_end(unsigned char hval[], sha2_ctx ctx[1])
605
switch(ctx->sha2_len)
607
case 32: sha256_end(hval, CTX_256(ctx)); return;
608
case 48: sha_end(hval, CTX_384(ctx), SHA384_DIGEST_SIZE); return;
609
case 64: sha_end(hval, CTX_512(ctx), SHA512_DIGEST_SIZE); return;
613
sha2_int sha2(unsigned char hval[], unsigned long size,
614
const unsigned char data[], unsigned long len)
617
if(sha2_begin(size, cx) == SHA2_GOOD)
619
sha2_hash(data, len, cx); sha2_end(hval, cx); return SHA2_GOOD;