1
/* Copyright 2003-2005 The Apache Software Foundation or its licensors, as
4
* Licensed under the Apache License, Version 2.0 (the "License");
5
* you may not use this file except in compliance with the License.
6
* You may obtain a copy of the License at
8
* http://www.apache.org/licenses/LICENSE-2.0
10
* Unless required by applicable law or agreed to in writing, software
11
* distributed under the License is distributed on an "AS IS" BASIS,
12
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
* See the License for the specific language governing permissions and
14
* limitations under the License.
18
* AUTHOR: Aaron D. Gifford <me@aarongifford.com>
20
* A licence was granted to the ASF by Aaron on 4 November 2003.
23
#include <string.h> /* memcpy()/memset() or bcopy()/bzero() */
24
#include <assert.h> /* assert() */
29
* Some sanity checking code is included using assert(). On my FreeBSD
30
* system, this additional code can be removed by compiling with NDEBUG
31
* defined. Check your own systems manpage on assert() to see how to
32
* compile WITHOUT the sanity checking code on your system.
34
* UNROLLED TRANSFORM LOOP NOTE:
35
* You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
36
* loop version for the hash transform rounds (defined using macros
37
* later in this file). Either define on the command line, for example:
39
* cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
43
* #define SHA2_UNROLL_TRANSFORM
47
/*** SHA-256/384/512 Machine Architecture Definitions *****************/
48
typedef apr_byte_t sha2_byte; /* Exactly 1 byte */
49
typedef apr_uint32_t sha2_word32; /* Exactly 4 bytes */
50
typedef apr_uint64_t sha2_word64; /* Exactly 8 bytes */
52
/*** SHA-256/384/512 Various Length Definitions ***********************/
53
/* NOTE: Most of these are in sha2.h */
54
#define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
55
#define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
56
#define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
59
/*** ENDIAN REVERSAL MACROS *******************************************/
61
#define REVERSE32(w,x) { \
62
sha2_word32 tmp = (w); \
63
tmp = (tmp >> 16) | (tmp << 16); \
64
(x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
66
#define REVERSE64(w,x) { \
67
sha2_word64 tmp = (w); \
68
tmp = (tmp >> 32) | (tmp << 32); \
69
tmp = ((tmp & APR_UINT64_C(0xff00ff00ff00ff00)) >> 8) | \
70
((tmp & APR_UINT64_C(0x00ff00ff00ff00ff)) << 8); \
71
(x) = ((tmp & APR_UINT64_C(0xffff0000ffff0000)) >> 16) | \
72
((tmp & APR_UINT64_C(0x0000ffff0000ffff)) << 16); \
74
#endif /* !APR_IS_BIGENDIAN */
77
* Macro for incrementally adding the unsigned 64-bit integer n to the
78
* unsigned 128-bit integer (represented using a two-element array of
81
#define ADDINC128(w,n) { \
82
(w)[0] += (sha2_word64)(n); \
89
* Macros for copying blocks of memory and for zeroing out ranges
90
* of memory. Using these macros makes it easy to switch from
91
* using memset()/memcpy() and using bzero()/bcopy().
93
* Please define either SHA2_USE_MEMSET_MEMCPY or define
94
* SHA2_USE_BZERO_BCOPY depending on which function set you
97
#if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY)
98
/* Default to memset()/memcpy() if no option is specified */
99
#define SHA2_USE_MEMSET_MEMCPY 1
101
#if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY)
102
/* Abort with an error if BOTH options are defined */
103
#error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both!
106
#ifdef SHA2_USE_MEMSET_MEMCPY
107
#define MEMSET_BZERO(p,l) memset((p), 0, (l))
108
#define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l))
110
#ifdef SHA2_USE_BZERO_BCOPY
111
#define MEMSET_BZERO(p,l) bzero((p), (l))
112
#define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l))
116
/*** THE SIX LOGICAL FUNCTIONS ****************************************/
118
* Bit shifting and rotation (used by the six SHA-XYZ logical functions:
120
* NOTE: The naming of R and S appears backwards here (R is a SHIFT and
121
* S is a ROTATION) because the SHA-256/384/512 description document
122
* (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
123
* same "backwards" definition.
125
/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
126
#define R(b,x) ((x) >> (b))
127
/* 32-bit Rotate-right (used in SHA-256): */
128
#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
129
/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
130
#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
132
/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
133
#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
134
#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
136
/* Four of six logical functions used in SHA-256: */
137
#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
138
#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
139
#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
140
#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
142
/* Four of six logical functions used in SHA-384 and SHA-512: */
143
#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
144
#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
145
#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
146
#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
148
/*** INTERNAL FUNCTION PROTOTYPES *************************************/
149
/* NOTE: These should not be accessed directly from outside this
150
* library -- they are intended for private internal visibility/use
153
void apr__SHA512_Last(SHA512_CTX*);
154
void apr__SHA256_Transform(SHA256_CTX*, const sha2_word32*);
155
void apr__SHA512_Transform(SHA512_CTX*, const sha2_word64*);
158
/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
159
/* Hash constant words K for SHA-256: */
160
const static sha2_word32 K256[64] = {
161
0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
162
0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
163
0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
164
0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
165
0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
166
0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
167
0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
168
0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
169
0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
170
0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
171
0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
172
0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
173
0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
174
0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
175
0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
176
0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
179
/* Initial hash value H for SHA-256: */
180
const static sha2_word32 sha256_initial_hash_value[8] = {
191
/* Hash constant words K for SHA-384 and SHA-512: */
192
const static sha2_word64 K512[80] = {
193
APR_UINT64_C(0x428a2f98d728ae22), APR_UINT64_C(0x7137449123ef65cd),
194
APR_UINT64_C(0xb5c0fbcfec4d3b2f), APR_UINT64_C(0xe9b5dba58189dbbc),
195
APR_UINT64_C(0x3956c25bf348b538), APR_UINT64_C(0x59f111f1b605d019),
196
APR_UINT64_C(0x923f82a4af194f9b), APR_UINT64_C(0xab1c5ed5da6d8118),
197
APR_UINT64_C(0xd807aa98a3030242), APR_UINT64_C(0x12835b0145706fbe),
198
APR_UINT64_C(0x243185be4ee4b28c), APR_UINT64_C(0x550c7dc3d5ffb4e2),
199
APR_UINT64_C(0x72be5d74f27b896f), APR_UINT64_C(0x80deb1fe3b1696b1),
200
APR_UINT64_C(0x9bdc06a725c71235), APR_UINT64_C(0xc19bf174cf692694),
201
APR_UINT64_C(0xe49b69c19ef14ad2), APR_UINT64_C(0xefbe4786384f25e3),
202
APR_UINT64_C(0x0fc19dc68b8cd5b5), APR_UINT64_C(0x240ca1cc77ac9c65),
203
APR_UINT64_C(0x2de92c6f592b0275), APR_UINT64_C(0x4a7484aa6ea6e483),
204
APR_UINT64_C(0x5cb0a9dcbd41fbd4), APR_UINT64_C(0x76f988da831153b5),
205
APR_UINT64_C(0x983e5152ee66dfab), APR_UINT64_C(0xa831c66d2db43210),
206
APR_UINT64_C(0xb00327c898fb213f), APR_UINT64_C(0xbf597fc7beef0ee4),
207
APR_UINT64_C(0xc6e00bf33da88fc2), APR_UINT64_C(0xd5a79147930aa725),
208
APR_UINT64_C(0x06ca6351e003826f), APR_UINT64_C(0x142929670a0e6e70),
209
APR_UINT64_C(0x27b70a8546d22ffc), APR_UINT64_C(0x2e1b21385c26c926),
210
APR_UINT64_C(0x4d2c6dfc5ac42aed), APR_UINT64_C(0x53380d139d95b3df),
211
APR_UINT64_C(0x650a73548baf63de), APR_UINT64_C(0x766a0abb3c77b2a8),
212
APR_UINT64_C(0x81c2c92e47edaee6), APR_UINT64_C(0x92722c851482353b),
213
APR_UINT64_C(0xa2bfe8a14cf10364), APR_UINT64_C(0xa81a664bbc423001),
214
APR_UINT64_C(0xc24b8b70d0f89791), APR_UINT64_C(0xc76c51a30654be30),
215
APR_UINT64_C(0xd192e819d6ef5218), APR_UINT64_C(0xd69906245565a910),
216
APR_UINT64_C(0xf40e35855771202a), APR_UINT64_C(0x106aa07032bbd1b8),
217
APR_UINT64_C(0x19a4c116b8d2d0c8), APR_UINT64_C(0x1e376c085141ab53),
218
APR_UINT64_C(0x2748774cdf8eeb99), APR_UINT64_C(0x34b0bcb5e19b48a8),
219
APR_UINT64_C(0x391c0cb3c5c95a63), APR_UINT64_C(0x4ed8aa4ae3418acb),
220
APR_UINT64_C(0x5b9cca4f7763e373), APR_UINT64_C(0x682e6ff3d6b2b8a3),
221
APR_UINT64_C(0x748f82ee5defb2fc), APR_UINT64_C(0x78a5636f43172f60),
222
APR_UINT64_C(0x84c87814a1f0ab72), APR_UINT64_C(0x8cc702081a6439ec),
223
APR_UINT64_C(0x90befffa23631e28), APR_UINT64_C(0xa4506cebde82bde9),
224
APR_UINT64_C(0xbef9a3f7b2c67915), APR_UINT64_C(0xc67178f2e372532b),
225
APR_UINT64_C(0xca273eceea26619c), APR_UINT64_C(0xd186b8c721c0c207),
226
APR_UINT64_C(0xeada7dd6cde0eb1e), APR_UINT64_C(0xf57d4f7fee6ed178),
227
APR_UINT64_C(0x06f067aa72176fba), APR_UINT64_C(0x0a637dc5a2c898a6),
228
APR_UINT64_C(0x113f9804bef90dae), APR_UINT64_C(0x1b710b35131c471b),
229
APR_UINT64_C(0x28db77f523047d84), APR_UINT64_C(0x32caab7b40c72493),
230
APR_UINT64_C(0x3c9ebe0a15c9bebc), APR_UINT64_C(0x431d67c49c100d4c),
231
APR_UINT64_C(0x4cc5d4becb3e42b6), APR_UINT64_C(0x597f299cfc657e2a),
232
APR_UINT64_C(0x5fcb6fab3ad6faec), APR_UINT64_C(0x6c44198c4a475817)
235
/* Initial hash value H for SHA-384 */
236
const static sha2_word64 sha384_initial_hash_value[8] = {
237
APR_UINT64_C(0xcbbb9d5dc1059ed8),
238
APR_UINT64_C(0x629a292a367cd507),
239
APR_UINT64_C(0x9159015a3070dd17),
240
APR_UINT64_C(0x152fecd8f70e5939),
241
APR_UINT64_C(0x67332667ffc00b31),
242
APR_UINT64_C(0x8eb44a8768581511),
243
APR_UINT64_C(0xdb0c2e0d64f98fa7),
244
APR_UINT64_C(0x47b5481dbefa4fa4)
247
/* Initial hash value H for SHA-512 */
248
const static sha2_word64 sha512_initial_hash_value[8] = {
249
APR_UINT64_C(0x6a09e667f3bcc908),
250
APR_UINT64_C(0xbb67ae8584caa73b),
251
APR_UINT64_C(0x3c6ef372fe94f82b),
252
APR_UINT64_C(0xa54ff53a5f1d36f1),
253
APR_UINT64_C(0x510e527fade682d1),
254
APR_UINT64_C(0x9b05688c2b3e6c1f),
255
APR_UINT64_C(0x1f83d9abfb41bd6b),
256
APR_UINT64_C(0x5be0cd19137e2179)
260
* Constant used by SHA256/384/512_End() functions for converting the
261
* digest to a readable hexadecimal character string:
263
static const char *sha2_hex_digits = "0123456789abcdef";
266
/*** SHA-256: *********************************************************/
267
void apr__SHA256_Init(SHA256_CTX* context) {
268
if (context == (SHA256_CTX*)0) {
271
MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH);
272
MEMSET_BZERO(context->buffer, SHA256_BLOCK_LENGTH);
273
context->bitcount = 0;
276
#ifdef SHA2_UNROLL_TRANSFORM
278
/* Unrolled SHA-256 round macros: */
280
#if !APR_IS_BIGENDIAN
282
#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
283
REVERSE32(*data++, W256[j]); \
284
T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
287
(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
291
#else /* APR_IS_BIGENDIAN */
293
#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
294
T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
295
K256[j] + (W256[j] = *data++); \
297
(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
300
#endif /* APR_IS_BIGENDIAN */
302
#define ROUND256(a,b,c,d,e,f,g,h) \
303
s0 = W256[(j+1)&0x0f]; \
304
s0 = sigma0_256(s0); \
305
s1 = W256[(j+14)&0x0f]; \
306
s1 = sigma1_256(s1); \
307
T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
308
(W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
310
(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
313
void apr__SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
314
sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
315
sha2_word32 T1, *W256;
318
W256 = (sha2_word32*)context->buffer;
320
/* Initialize registers with the prev. intermediate value */
321
a = context->state[0];
322
b = context->state[1];
323
c = context->state[2];
324
d = context->state[3];
325
e = context->state[4];
326
f = context->state[5];
327
g = context->state[6];
328
h = context->state[7];
332
/* Rounds 0 to 15 (unrolled): */
333
ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
334
ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
335
ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
336
ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
337
ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
338
ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
339
ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
340
ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
343
/* Now for the remaining rounds to 64: */
345
ROUND256(a,b,c,d,e,f,g,h);
346
ROUND256(h,a,b,c,d,e,f,g);
347
ROUND256(g,h,a,b,c,d,e,f);
348
ROUND256(f,g,h,a,b,c,d,e);
349
ROUND256(e,f,g,h,a,b,c,d);
350
ROUND256(d,e,f,g,h,a,b,c);
351
ROUND256(c,d,e,f,g,h,a,b);
352
ROUND256(b,c,d,e,f,g,h,a);
355
/* Compute the current intermediate hash value */
356
context->state[0] += a;
357
context->state[1] += b;
358
context->state[2] += c;
359
context->state[3] += d;
360
context->state[4] += e;
361
context->state[5] += f;
362
context->state[6] += g;
363
context->state[7] += h;
366
a = b = c = d = e = f = g = h = T1 = 0;
369
#else /* SHA2_UNROLL_TRANSFORM */
371
void apr__SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
372
sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
373
sha2_word32 T1, T2, *W256;
376
W256 = (sha2_word32*)context->buffer;
378
/* Initialize registers with the prev. intermediate value */
379
a = context->state[0];
380
b = context->state[1];
381
c = context->state[2];
382
d = context->state[3];
383
e = context->state[4];
384
f = context->state[5];
385
g = context->state[6];
386
h = context->state[7];
390
#if !APR_IS_BIGENDIAN
391
/* Copy data while converting to host byte order */
392
REVERSE32(*data++,W256[j]);
393
/* Apply the SHA-256 compression function to update a..h */
394
T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
395
#else /* APR_IS_BIGENDIAN */
396
/* Apply the SHA-256 compression function to update a..h with copy */
397
T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
398
#endif /* APR_IS_BIGENDIAN */
399
T2 = Sigma0_256(a) + Maj(a, b, c);
413
/* Part of the message block expansion: */
414
s0 = W256[(j+1)&0x0f];
416
s1 = W256[(j+14)&0x0f];
419
/* Apply the SHA-256 compression function to update a..h */
420
T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
421
(W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
422
T2 = Sigma0_256(a) + Maj(a, b, c);
435
/* Compute the current intermediate hash value */
436
context->state[0] += a;
437
context->state[1] += b;
438
context->state[2] += c;
439
context->state[3] += d;
440
context->state[4] += e;
441
context->state[5] += f;
442
context->state[6] += g;
443
context->state[7] += h;
446
a = b = c = d = e = f = g = h = T1 = T2 = 0;
449
#endif /* SHA2_UNROLL_TRANSFORM */
451
void apr__SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) {
452
unsigned int freespace, usedspace;
455
/* Calling with no data is valid - we do nothing */
460
assert(context != (SHA256_CTX*)0 && data != (sha2_byte*)0);
462
usedspace = (unsigned int)((context->bitcount >> 3)
463
% SHA256_BLOCK_LENGTH);
465
/* Calculate how much free space is available in the buffer */
466
freespace = SHA256_BLOCK_LENGTH - usedspace;
468
if (len >= freespace) {
469
/* Fill the buffer completely and process it */
470
MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
471
context->bitcount += freespace << 3;
474
apr__SHA256_Transform(context, (sha2_word32*)context->buffer);
476
/* The buffer is not yet full */
477
MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
478
context->bitcount += len << 3;
480
usedspace = freespace = 0;
484
while (len >= SHA256_BLOCK_LENGTH) {
485
/* Process as many complete blocks as we can */
486
apr__SHA256_Transform(context, (sha2_word32*)data);
487
context->bitcount += SHA256_BLOCK_LENGTH << 3;
488
len -= SHA256_BLOCK_LENGTH;
489
data += SHA256_BLOCK_LENGTH;
492
/* There's left-overs, so save 'em */
493
MEMCPY_BCOPY(context->buffer, data, len);
494
context->bitcount += len << 3;
497
usedspace = freespace = 0;
500
void apr__SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
501
sha2_word32 *d = (sha2_word32*)digest;
502
unsigned int usedspace;
505
assert(context != (SHA256_CTX*)0);
507
/* If no digest buffer is passed, we don't bother doing this: */
508
if (digest != (sha2_byte*)0) {
509
usedspace = (unsigned int)((context->bitcount >> 3)
510
% SHA256_BLOCK_LENGTH);
511
#if !APR_IS_BIGENDIAN
512
/* Convert FROM host byte order */
513
REVERSE64(context->bitcount,context->bitcount);
516
/* Begin padding with a 1 bit: */
517
context->buffer[usedspace++] = 0x80;
519
if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
520
/* Set-up for the last transform: */
521
MEMSET_BZERO(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
523
if (usedspace < SHA256_BLOCK_LENGTH) {
524
MEMSET_BZERO(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
526
/* Do second-to-last transform: */
527
apr__SHA256_Transform(context, (sha2_word32*)context->buffer);
529
/* And set-up for the last transform: */
530
MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
533
/* Set-up for the last transform: */
534
MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
536
/* Begin padding with a 1 bit: */
537
*context->buffer = 0x80;
539
/* Set the bit count: */
540
*(sha2_word64*)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
542
/* Final transform: */
543
apr__SHA256_Transform(context, (sha2_word32*)context->buffer);
545
#if !APR_IS_BIGENDIAN
547
/* Convert TO host byte order */
549
for (j = 0; j < 8; j++) {
550
REVERSE32(context->state[j],context->state[j]);
551
*d++ = context->state[j];
555
MEMCPY_BCOPY(d, context->state, SHA256_DIGEST_LENGTH);
559
/* Clean up state data: */
560
MEMSET_BZERO(context, sizeof(context));
564
char *apr__SHA256_End(SHA256_CTX* context, char buffer[]) {
565
sha2_byte digest[SHA256_DIGEST_LENGTH], *d = digest;
569
assert(context != (SHA256_CTX*)0);
571
if (buffer != (char*)0) {
572
apr__SHA256_Final(digest, context);
574
for (i = 0; i < SHA256_DIGEST_LENGTH; i++) {
575
*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
576
*buffer++ = sha2_hex_digits[*d & 0x0f];
581
MEMSET_BZERO(context, sizeof(context));
583
MEMSET_BZERO(digest, SHA256_DIGEST_LENGTH);
587
char* apr__SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) {
590
apr__SHA256_Init(&context);
591
apr__SHA256_Update(&context, data, len);
592
return apr__SHA256_End(&context, digest);
596
/*** SHA-512: *********************************************************/
597
void apr__SHA512_Init(SHA512_CTX* context) {
598
if (context == (SHA512_CTX*)0) {
601
MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH);
602
MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH);
603
context->bitcount[0] = context->bitcount[1] = 0;
606
#ifdef SHA2_UNROLL_TRANSFORM
608
/* Unrolled SHA-512 round macros: */
609
#if !APR_IS_BIGENDIAN
611
#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
612
REVERSE64(*data++, W512[j]); \
613
T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
616
(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
620
#else /* APR_IS_BIGENDIAN */
622
#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
623
T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
624
K512[j] + (W512[j] = *data++); \
626
(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
629
#endif /* APR_IS_BIGENDIAN */
631
#define ROUND512(a,b,c,d,e,f,g,h) \
632
s0 = W512[(j+1)&0x0f]; \
633
s0 = sigma0_512(s0); \
634
s1 = W512[(j+14)&0x0f]; \
635
s1 = sigma1_512(s1); \
636
T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
637
(W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
639
(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
642
void apr__SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
643
sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
644
sha2_word64 T1, *W512 = (sha2_word64*)context->buffer;
647
/* Initialize registers with the prev. intermediate value */
648
a = context->state[0];
649
b = context->state[1];
650
c = context->state[2];
651
d = context->state[3];
652
e = context->state[4];
653
f = context->state[5];
654
g = context->state[6];
655
h = context->state[7];
659
ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
660
ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
661
ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
662
ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
663
ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
664
ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
665
ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
666
ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
669
/* Now for the remaining rounds up to 79: */
671
ROUND512(a,b,c,d,e,f,g,h);
672
ROUND512(h,a,b,c,d,e,f,g);
673
ROUND512(g,h,a,b,c,d,e,f);
674
ROUND512(f,g,h,a,b,c,d,e);
675
ROUND512(e,f,g,h,a,b,c,d);
676
ROUND512(d,e,f,g,h,a,b,c);
677
ROUND512(c,d,e,f,g,h,a,b);
678
ROUND512(b,c,d,e,f,g,h,a);
681
/* Compute the current intermediate hash value */
682
context->state[0] += a;
683
context->state[1] += b;
684
context->state[2] += c;
685
context->state[3] += d;
686
context->state[4] += e;
687
context->state[5] += f;
688
context->state[6] += g;
689
context->state[7] += h;
692
a = b = c = d = e = f = g = h = T1 = 0;
695
#else /* SHA2_UNROLL_TRANSFORM */
697
void apr__SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
698
sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
699
sha2_word64 T1, T2, *W512 = (sha2_word64*)context->buffer;
702
/* Initialize registers with the prev. intermediate value */
703
a = context->state[0];
704
b = context->state[1];
705
c = context->state[2];
706
d = context->state[3];
707
e = context->state[4];
708
f = context->state[5];
709
g = context->state[6];
710
h = context->state[7];
714
#if !APR_IS_BIGENDIAN
715
/* Convert TO host byte order */
716
REVERSE64(*data++, W512[j]);
717
/* Apply the SHA-512 compression function to update a..h */
718
T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
719
#else /* APR_IS_BIGENDIAN */
720
/* Apply the SHA-512 compression function to update a..h with copy */
721
T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
722
#endif /* APR_IS_BIGENDIAN */
723
T2 = Sigma0_512(a) + Maj(a, b, c);
737
/* Part of the message block expansion: */
738
s0 = W512[(j+1)&0x0f];
740
s1 = W512[(j+14)&0x0f];
743
/* Apply the SHA-512 compression function to update a..h */
744
T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
745
(W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
746
T2 = Sigma0_512(a) + Maj(a, b, c);
759
/* Compute the current intermediate hash value */
760
context->state[0] += a;
761
context->state[1] += b;
762
context->state[2] += c;
763
context->state[3] += d;
764
context->state[4] += e;
765
context->state[5] += f;
766
context->state[6] += g;
767
context->state[7] += h;
770
a = b = c = d = e = f = g = h = T1 = T2 = 0;
773
#endif /* SHA2_UNROLL_TRANSFORM */
775
void apr__SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) {
776
unsigned int freespace, usedspace;
779
/* Calling with no data is valid - we do nothing */
784
assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0);
786
usedspace = (unsigned int)((context->bitcount[0] >> 3)
787
% SHA512_BLOCK_LENGTH);
789
/* Calculate how much free space is available in the buffer */
790
freespace = SHA512_BLOCK_LENGTH - usedspace;
792
if (len >= freespace) {
793
/* Fill the buffer completely and process it */
794
MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
795
ADDINC128(context->bitcount, freespace << 3);
798
apr__SHA512_Transform(context, (sha2_word64*)context->buffer);
800
/* The buffer is not yet full */
801
MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
802
ADDINC128(context->bitcount, len << 3);
804
usedspace = freespace = 0;
808
while (len >= SHA512_BLOCK_LENGTH) {
809
/* Process as many complete blocks as we can */
810
apr__SHA512_Transform(context, (sha2_word64*)data);
811
ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
812
len -= SHA512_BLOCK_LENGTH;
813
data += SHA512_BLOCK_LENGTH;
816
/* There's left-overs, so save 'em */
817
MEMCPY_BCOPY(context->buffer, data, len);
818
ADDINC128(context->bitcount, len << 3);
821
usedspace = freespace = 0;
824
void apr__SHA512_Last(SHA512_CTX* context) {
825
unsigned int usedspace;
827
usedspace = (unsigned int)((context->bitcount[0] >> 3)
828
% SHA512_BLOCK_LENGTH);
829
#if !APR_IS_BIGENDIAN
830
/* Convert FROM host byte order */
831
REVERSE64(context->bitcount[0],context->bitcount[0]);
832
REVERSE64(context->bitcount[1],context->bitcount[1]);
835
/* Begin padding with a 1 bit: */
836
context->buffer[usedspace++] = 0x80;
838
if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
839
/* Set-up for the last transform: */
840
MEMSET_BZERO(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
842
if (usedspace < SHA512_BLOCK_LENGTH) {
843
MEMSET_BZERO(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
845
/* Do second-to-last transform: */
846
apr__SHA512_Transform(context, (sha2_word64*)context->buffer);
848
/* And set-up for the last transform: */
849
MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH - 2);
852
/* Prepare for final transform: */
853
MEMSET_BZERO(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
855
/* Begin padding with a 1 bit: */
856
*context->buffer = 0x80;
858
/* Store the length of input data (in bits): */
859
*(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
860
*(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
862
/* Final transform: */
863
apr__SHA512_Transform(context, (sha2_word64*)context->buffer);
866
void apr__SHA512_Final(sha2_byte digest[], SHA512_CTX* context) {
867
sha2_word64 *d = (sha2_word64*)digest;
870
assert(context != (SHA512_CTX*)0);
872
/* If no digest buffer is passed, we don't bother doing this: */
873
if (digest != (sha2_byte*)0) {
874
apr__SHA512_Last(context);
876
/* Save the hash data for output: */
877
#if !APR_IS_BIGENDIAN
879
/* Convert TO host byte order */
881
for (j = 0; j < 8; j++) {
882
REVERSE64(context->state[j],context->state[j]);
883
*d++ = context->state[j];
886
#else /* APR_IS_BIGENDIAN */
887
MEMCPY_BCOPY(d, context->state, SHA512_DIGEST_LENGTH);
888
#endif /* APR_IS_BIGENDIAN */
891
/* Zero out state data */
892
MEMSET_BZERO(context, sizeof(context));
895
char *apr__SHA512_End(SHA512_CTX* context, char buffer[]) {
896
sha2_byte digest[SHA512_DIGEST_LENGTH], *d = digest;
900
assert(context != (SHA512_CTX*)0);
902
if (buffer != (char*)0) {
903
apr__SHA512_Final(digest, context);
905
for (i = 0; i < SHA512_DIGEST_LENGTH; i++) {
906
*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
907
*buffer++ = sha2_hex_digits[*d & 0x0f];
912
MEMSET_BZERO(context, sizeof(context));
914
MEMSET_BZERO(digest, SHA512_DIGEST_LENGTH);
918
char* apr__SHA512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) {
921
apr__SHA512_Init(&context);
922
apr__SHA512_Update(&context, data, len);
923
return apr__SHA512_End(&context, digest);
927
/*** SHA-384: *********************************************************/
928
void apr__SHA384_Init(SHA384_CTX* context) {
929
if (context == (SHA384_CTX*)0) {
932
MEMCPY_BCOPY(context->state, sha384_initial_hash_value, SHA512_DIGEST_LENGTH);
933
MEMSET_BZERO(context->buffer, SHA384_BLOCK_LENGTH);
934
context->bitcount[0] = context->bitcount[1] = 0;
937
void apr__SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) {
938
apr__SHA512_Update((SHA512_CTX*)context, data, len);
941
void apr__SHA384_Final(sha2_byte digest[], SHA384_CTX* context) {
942
sha2_word64 *d = (sha2_word64*)digest;
945
assert(context != (SHA384_CTX*)0);
947
/* If no digest buffer is passed, we don't bother doing this: */
948
if (digest != (sha2_byte*)0) {
949
apr__SHA512_Last((SHA512_CTX*)context);
951
/* Save the hash data for output: */
952
#if !APR_IS_BIGENDIAN
954
/* Convert TO host byte order */
956
for (j = 0; j < 6; j++) {
957
REVERSE64(context->state[j],context->state[j]);
958
*d++ = context->state[j];
961
#else /* APR_IS_BIGENDIAN */
962
MEMCPY_BCOPY(d, context->state, SHA384_DIGEST_LENGTH);
963
#endif /* APR_IS_BIGENDIAN */
966
/* Zero out state data */
967
MEMSET_BZERO(context, sizeof(context));
970
char *apr__SHA384_End(SHA384_CTX* context, char buffer[]) {
971
sha2_byte digest[SHA384_DIGEST_LENGTH], *d = digest;
975
assert(context != (SHA384_CTX*)0);
977
if (buffer != (char*)0) {
978
apr__SHA384_Final(digest, context);
980
for (i = 0; i < SHA384_DIGEST_LENGTH; i++) {
981
*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
982
*buffer++ = sha2_hex_digits[*d & 0x0f];
987
MEMSET_BZERO(context, sizeof(context));
989
MEMSET_BZERO(digest, SHA384_DIGEST_LENGTH);
993
char* apr__SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) {
996
apr__SHA384_Init(&context);
997
apr__SHA384_Update(&context, data, len);
998
return apr__SHA384_End(&context, digest);