medfall

A super great game engine
Log | Files | Refs

sha2.cc (23913B)


      1 /*	$OpenBSD: sha2.c,v 1.24 2015/09/11 09:18:27 guenther Exp $	*/
      2 
      3 /*
      4  * FILE:	sha2.c
      5  * AUTHOR:	Aaron D. Gifford <me@aarongifford.com>
      6  * 
      7  * Copyright (c) 2000-2001, Aaron D. Gifford
      8  * All rights reserved.
      9  *
     10  * Redistribution and use in source and binary forms, with or without
     11  * modification, are permitted provided that the following conditions
     12  * are met:
     13  * 1. Redistributions of source code must retain the above copyright
     14  *    notice, this list of conditions and the following disclaimer.
     15  * 2. Redistributions in binary form must reproduce the above copyright
     16  *    notice, this list of conditions and the following disclaimer in the
     17  *    documentation and/or other materials provided with the distribution.
     18  * 3. Neither the name of the copyright holder nor the names of contributors
     19  *    may be used to endorse or promote products derived from this software
     20  *    without specific prior written permission.
     21  * 
     22  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
     23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     25  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
     26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     32  * SUCH DAMAGE.
     33  *
     34  * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
     35  */
     36 
     37 #include <stdint.h>
     38 #include <string.h>
     39 
     40 #include "sha2.h"
     41 
     42 #define explicit_bzero( p, len ) memset( p, 0, len )
     43 
     44 /*
     45  * UNROLLED TRANSFORM LOOP NOTE:
     46  * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
     47  * loop version for the hash transform rounds (defined using macros
     48  * later in this file).  Either define on the command line, for example:
     49  *
     50  *   cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
     51  *
     52  * or define below:
     53  *
     54  *   #define SHA2_UNROLL_TRANSFORM
     55  *
     56  */
     57 #ifndef SHA2_SMALL
     58 #if defined(__amd64__) || defined(__i386__)
     59 #define SHA2_UNROLL_TRANSFORM
     60 #endif
     61 #endif
     62 
     63 /*** SHA-224/256/384/512 Machine Architecture Definitions *****************/
     64 /*
     65  * BYTE_ORDER NOTE:
     66  *
     67  * Please make sure that your system defines BYTE_ORDER.  If your
     68  * architecture is little-endian, make sure it also defines
     69  * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
     70  * equivilent.
     71  *
     72  * If your system does not define the above, then you can do so by
     73  * hand like this:
     74  *
     75  *   #define LITTLE_ENDIAN 1234
     76  *   #define BIG_ENDIAN    4321
     77  *
     78  * And for little-endian machines, add:
     79  *
     80  *   #define BYTE_ORDER LITTLE_ENDIAN 
     81  *
     82  * Or for big-endian machines:
     83  *
     84  *   #define BYTE_ORDER BIG_ENDIAN
     85  *
     86  * The FreeBSD machine this was written on defines BYTE_ORDER
     87  * appropriately by including <sys/types.h> (which in turn includes
     88  * <machine/endian.h> where the appropriate definitions are actually
     89  * made).
     90  */
     91 #define LITTLE_ENDIAN 1234
     92 #define BIG_ENDIAN 4321
     93 #define BYTE_ORDER LITTLE_ENDIAN
     94 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
     95 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
     96 #endif
     97 
     98 
     99 /*** SHA-224/256/384/512 Various Length Definitions ***********************/
    100 /* NOTE: Most of these are in sha2.h */
    101 #define SHA224_SHORT_BLOCK_LENGTH	(SHA224_BLOCK_LENGTH - 8)
    102 #define SHA256_SHORT_BLOCK_LENGTH	(SHA256_BLOCK_LENGTH - 8)
    103 #define SHA384_SHORT_BLOCK_LENGTH	(SHA384_BLOCK_LENGTH - 16)
    104 #define SHA512_SHORT_BLOCK_LENGTH	(SHA512_BLOCK_LENGTH - 16)
    105 
    106 /*** ENDIAN SPECIFIC COPY MACROS **************************************/
    107 #define BE_8_TO_32(dst, cp) do {					\
    108 	(dst) = (uint32_t)(cp)[3] | ((uint32_t)(cp)[2] << 8) |	\
    109 	    ((uint32_t)(cp)[1] << 16) | ((uint32_t)(cp)[0] << 24);	\
    110 } while(0)
    111 
    112 #define BE_8_TO_64(dst, cp) do {					\
    113 	(dst) = (uint64_t)(cp)[7] | ((uint64_t)(cp)[6] << 8) |	\
    114 	    ((uint64_t)(cp)[5] << 16) | ((uint64_t)(cp)[4] << 24) |	\
    115 	    ((uint64_t)(cp)[3] << 32) | ((uint64_t)(cp)[2] << 40) |	\
    116 	    ((uint64_t)(cp)[1] << 48) | ((uint64_t)(cp)[0] << 56);	\
    117 } while (0)
    118 
    119 #define BE_64_TO_8(cp, src) do {					\
    120 	(cp)[0] = (src) >> 56;						\
    121         (cp)[1] = (src) >> 48;						\
    122 	(cp)[2] = (src) >> 40;						\
    123 	(cp)[3] = (src) >> 32;						\
    124 	(cp)[4] = (src) >> 24;						\
    125 	(cp)[5] = (src) >> 16;						\
    126 	(cp)[6] = (src) >> 8;						\
    127 	(cp)[7] = (src);						\
    128 } while (0)
    129 
    130 #define BE_32_TO_8(cp, src) do {					\
    131 	(cp)[0] = (src) >> 24;						\
    132 	(cp)[1] = (src) >> 16;						\
    133 	(cp)[2] = (src) >> 8;						\
    134 	(cp)[3] = (src);						\
    135 } while (0)
    136 
    137 /*
    138  * Macro for incrementally adding the unsigned 64-bit integer n to the
    139  * unsigned 128-bit integer (represented using a two-element array of
    140  * 64-bit words):
    141  */
    142 #define ADDINC128(w,n) do {						\
    143 	(w)[0] += (uint64_t)(n);					\
    144 	if ((w)[0] < (n)) {						\
    145 		(w)[1]++;						\
    146 	}								\
    147 } while (0)
    148 
    149 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
    150 /*
    151  * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
    152  *
    153  *   NOTE:  The naming of R and S appears backwards here (R is a SHIFT and
    154  *   S is a ROTATION) because the SHA-224/256/384/512 description document
    155  *   (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
    156  *   same "backwards" definition.
    157  */
    158 /* Shift-right (used in SHA-224, SHA-256, SHA-384, and SHA-512): */
    159 #define R(b,x) 		((x) >> (b))
    160 /* 32-bit Rotate-right (used in SHA-224 and SHA-256): */
    161 #define S32(b,x)	(((x) >> (b)) | ((x) << (32 - (b))))
    162 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
    163 #define S64(b,x)	(((x) >> (b)) | ((x) << (64 - (b))))
    164 
    165 /* Two of six logical functions used in SHA-224, SHA-256, SHA-384, and SHA-512: */
    166 #define Ch(x,y,z)	(((x) & (y)) ^ ((~(x)) & (z)))
    167 #define Maj(x,y,z)	(((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
    168 
    169 /* Four of six logical functions used in SHA-224 and SHA-256: */
    170 #define Sigma0_256(x)	(S32(2,  (x)) ^ S32(13, (x)) ^ S32(22, (x)))
    171 #define Sigma1_256(x)	(S32(6,  (x)) ^ S32(11, (x)) ^ S32(25, (x)))
    172 #define sigma0_256(x)	(S32(7,  (x)) ^ S32(18, (x)) ^ R(3 ,   (x)))
    173 #define sigma1_256(x)	(S32(17, (x)) ^ S32(19, (x)) ^ R(10,   (x)))
    174 
    175 /* Four of six logical functions used in SHA-384 and SHA-512: */
    176 #define Sigma0_512(x)	(S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
    177 #define Sigma1_512(x)	(S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
    178 #define sigma0_512(x)	(S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7,   (x)))
    179 #define sigma1_512(x)	(S64(19, (x)) ^ S64(61, (x)) ^ R( 6,   (x)))
    180 
    181 
    182 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
    183 /* Hash constant words K for SHA-224 and SHA-256: */
    184 static const uint32_t K256[64] = {
    185 	0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
    186 	0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
    187 	0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
    188 	0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
    189 	0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
    190 	0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
    191 	0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
    192 	0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
    193 	0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
    194 	0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
    195 	0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
    196 	0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
    197 	0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
    198 	0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
    199 	0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
    200 	0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
    201 };
    202 
    203 /* Initial hash value H for SHA-224: */
    204 static const uint32_t sha224_initial_hash_value[8] = {
    205 	0xc1059ed8UL,
    206 	0x367cd507UL,
    207 	0x3070dd17UL,
    208 	0xf70e5939UL,
    209 	0xffc00b31UL,
    210 	0x68581511UL,
    211 	0x64f98fa7UL,
    212 	0xbefa4fa4UL
    213 };
    214 
    215 /* Initial hash value H for SHA-256: */
    216 static const uint32_t sha256_initial_hash_value[8] = {
    217 	0x6a09e667UL,
    218 	0xbb67ae85UL,
    219 	0x3c6ef372UL,
    220 	0xa54ff53aUL,
    221 	0x510e527fUL,
    222 	0x9b05688cUL,
    223 	0x1f83d9abUL,
    224 	0x5be0cd19UL
    225 };
    226 
    227 /* Hash constant words K for SHA-384 and SHA-512: */
    228 static const uint64_t K512[80] = {
    229 	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
    230 	0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
    231 	0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
    232 	0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
    233 	0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
    234 	0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
    235 	0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
    236 	0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
    237 	0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
    238 	0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
    239 	0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
    240 	0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
    241 	0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
    242 	0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
    243 	0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
    244 	0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
    245 	0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
    246 	0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
    247 	0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
    248 	0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
    249 	0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
    250 	0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
    251 	0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
    252 	0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
    253 	0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
    254 	0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
    255 	0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
    256 	0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
    257 	0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
    258 	0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
    259 	0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
    260 	0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
    261 	0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
    262 	0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
    263 	0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
    264 	0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
    265 	0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
    266 	0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
    267 	0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
    268 	0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
    269 };
    270 
    271 /* Initial hash value H for SHA-512 */
    272 static const uint64_t sha512_initial_hash_value[8] = {
    273 	0x6a09e667f3bcc908ULL,
    274 	0xbb67ae8584caa73bULL,
    275 	0x3c6ef372fe94f82bULL,
    276 	0xa54ff53a5f1d36f1ULL,
    277 	0x510e527fade682d1ULL,
    278 	0x9b05688c2b3e6c1fULL,
    279 	0x1f83d9abfb41bd6bULL,
    280 	0x5be0cd19137e2179ULL
    281 };
    282 
    283 /*** SHA-256: *********************************************************/
    284 void
    285 SHA256Init(SHA2_CTX *context)
    286 {
    287 	memcpy(context->state.st32, sha256_initial_hash_value,
    288 	    sizeof(sha256_initial_hash_value));
    289 	memset(context->buffer, 0, sizeof(context->buffer));
    290 	context->bitcount[0] = 0;
    291 }
    292 
    293 #ifdef SHA2_UNROLL_TRANSFORM
    294 
    295 /* Unrolled SHA-256 round macros: */
    296 
    297 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do {				    \
    298 	BE_8_TO_32(W256[j], data);					    \
    299 	data += 4;							    \
    300 	T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
    301 	(d) += T1;							    \
    302 	(h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c));		    \
    303 	j++;								    \
    304 } while(0)
    305 
    306 #define ROUND256(a,b,c,d,e,f,g,h) do {					    \
    307 	s0 = W256[(j+1)&0x0f];						    \
    308 	s0 = sigma0_256(s0);						    \
    309 	s1 = W256[(j+14)&0x0f];						    \
    310 	s1 = sigma1_256(s1);						    \
    311 	T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] +	    \
    312 	     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);		    \
    313 	(d) += T1;							    \
    314 	(h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c));		    \
    315 	j++;								    \
    316 } while(0)
    317 
    318 void
    319 SHA256Transform(uint32_t state[8], const uint8_t data[SHA256_BLOCK_LENGTH])
    320 {
    321 	uint32_t	a, b, c, d, e, f, g, h, s0, s1;
    322 	uint32_t	T1, W256[16];
    323 	int		j;
    324 
    325 	/* Initialize registers with the prev. intermediate value */
    326 	a = state[0];
    327 	b = state[1];
    328 	c = state[2];
    329 	d = state[3];
    330 	e = state[4];
    331 	f = state[5];
    332 	g = state[6];
    333 	h = state[7];
    334 
    335 	j = 0;
    336 	do {
    337 		/* Rounds 0 to 15 (unrolled): */
    338 		ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
    339 		ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
    340 		ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
    341 		ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
    342 		ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
    343 		ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
    344 		ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
    345 		ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
    346 	} while (j < 16);
    347 
    348 	/* Now for the remaining rounds up to 63: */
    349 	do {
    350 		ROUND256(a,b,c,d,e,f,g,h);
    351 		ROUND256(h,a,b,c,d,e,f,g);
    352 		ROUND256(g,h,a,b,c,d,e,f);
    353 		ROUND256(f,g,h,a,b,c,d,e);
    354 		ROUND256(e,f,g,h,a,b,c,d);
    355 		ROUND256(d,e,f,g,h,a,b,c);
    356 		ROUND256(c,d,e,f,g,h,a,b);
    357 		ROUND256(b,c,d,e,f,g,h,a);
    358 	} while (j < 64);
    359 
    360 	/* Compute the current intermediate hash value */
    361 	state[0] += a;
    362 	state[1] += b;
    363 	state[2] += c;
    364 	state[3] += d;
    365 	state[4] += e;
    366 	state[5] += f;
    367 	state[6] += g;
    368 	state[7] += h;
    369 
    370 	/* Clean up */
    371 	a = b = c = d = e = f = g = h = T1 = 0;
    372 }
    373 
    374 #else /* SHA2_UNROLL_TRANSFORM */
    375 
    376 void
    377 SHA256Transform(uint32_t state[8], const uint8_t data[SHA256_BLOCK_LENGTH])
    378 {
    379 	uint32_t	a, b, c, d, e, f, g, h, s0, s1;
    380 	uint32_t	T1, T2, W256[16];
    381 	int		j;
    382 
    383 	/* Initialize registers with the prev. intermediate value */
    384 	a = state[0];
    385 	b = state[1];
    386 	c = state[2];
    387 	d = state[3];
    388 	e = state[4];
    389 	f = state[5];
    390 	g = state[6];
    391 	h = state[7];
    392 
    393 	j = 0;
    394 	do {
    395 		BE_8_TO_32(W256[j], data);
    396 		data += 4;
    397 		/* Apply the SHA-256 compression function to update a..h */
    398 		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
    399 		T2 = Sigma0_256(a) + Maj(a, b, c);
    400 		h = g;
    401 		g = f;
    402 		f = e;
    403 		e = d + T1;
    404 		d = c;
    405 		c = b;
    406 		b = a;
    407 		a = T1 + T2;
    408 
    409 		j++;
    410 	} while (j < 16);
    411 
    412 	do {
    413 		/* Part of the message block expansion: */
    414 		s0 = W256[(j+1)&0x0f];
    415 		s0 = sigma0_256(s0);
    416 		s1 = W256[(j+14)&0x0f];	
    417 		s1 = sigma1_256(s1);
    418 
    419 		/* Apply the SHA-256 compression function to update a..h */
    420 		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 
    421 		     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
    422 		T2 = Sigma0_256(a) + Maj(a, b, c);
    423 		h = g;
    424 		g = f;
    425 		f = e;
    426 		e = d + T1;
    427 		d = c;
    428 		c = b;
    429 		b = a;
    430 		a = T1 + T2;
    431 
    432 		j++;
    433 	} while (j < 64);
    434 
    435 	/* Compute the current intermediate hash value */
    436 	state[0] += a;
    437 	state[1] += b;
    438 	state[2] += c;
    439 	state[3] += d;
    440 	state[4] += e;
    441 	state[5] += f;
    442 	state[6] += g;
    443 	state[7] += h;
    444 
    445 	/* Clean up */
    446 	a = b = c = d = e = f = g = h = T1 = T2 = 0;
    447 }
    448 
    449 #endif /* SHA2_UNROLL_TRANSFORM */
    450 
    451 void
    452 SHA256Update(SHA2_CTX *context, const uint8_t *data, size_t len)
    453 {
    454 	size_t	freespace, usedspace;
    455 
    456 	/* Calling with no data is valid (we do nothing) */
    457 	if (len == 0)
    458 		return;
    459 
    460 	usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH;
    461 	if (usedspace > 0) {
    462 		/* Calculate how much free space is available in the buffer */
    463 		freespace = SHA256_BLOCK_LENGTH - usedspace;
    464 
    465 		if (len >= freespace) {
    466 			/* Fill the buffer completely and process it */
    467 			memcpy(&context->buffer[usedspace], data, freespace);
    468 			context->bitcount[0] += freespace << 3;
    469 			len -= freespace;
    470 			data += freespace;
    471 			SHA256Transform(context->state.st32, context->buffer);
    472 		} else {
    473 			/* The buffer is not yet full */
    474 			memcpy(&context->buffer[usedspace], data, len);
    475 			context->bitcount[0] += len << 3;
    476 			/* Clean up: */
    477 			usedspace = freespace = 0;
    478 			return;
    479 		}
    480 	}
    481 	while (len >= SHA256_BLOCK_LENGTH) {
    482 		/* Process as many complete blocks as we can */
    483 		SHA256Transform(context->state.st32, data);
    484 		context->bitcount[0] += SHA256_BLOCK_LENGTH << 3;
    485 		len -= SHA256_BLOCK_LENGTH;
    486 		data += SHA256_BLOCK_LENGTH;
    487 	}
    488 	if (len > 0) {
    489 		/* There's left-overs, so save 'em */
    490 		memcpy(context->buffer, data, len);
    491 		context->bitcount[0] += len << 3;
    492 	}
    493 	/* Clean up: */
    494 	usedspace = freespace = 0;
    495 }
    496 
    497 void
    498 SHA256Pad(SHA2_CTX *context)
    499 {
    500 	unsigned int	usedspace;
    501 
    502 	usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH;
    503 	if (usedspace > 0) {
    504 		/* Begin padding with a 1 bit: */
    505 		context->buffer[usedspace++] = 0x80;
    506 
    507 		if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
    508 			/* Set-up for the last transform: */
    509 			memset(&context->buffer[usedspace], 0,
    510 			    SHA256_SHORT_BLOCK_LENGTH - usedspace);
    511 		} else {
    512 			if (usedspace < SHA256_BLOCK_LENGTH) {
    513 				memset(&context->buffer[usedspace], 0,
    514 				    SHA256_BLOCK_LENGTH - usedspace);
    515 			}
    516 			/* Do second-to-last transform: */
    517 			SHA256Transform(context->state.st32, context->buffer);
    518 
    519 			/* Prepare for last transform: */
    520 			memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
    521 		}
    522 	} else {
    523 		/* Set-up for the last transform: */
    524 		memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
    525 
    526 		/* Begin padding with a 1 bit: */
    527 		*context->buffer = 0x80;
    528 	}
    529 	/* Store the length of input data (in bits) in big endian format: */
    530 	BE_64_TO_8(&context->buffer[SHA256_SHORT_BLOCK_LENGTH],
    531 	    context->bitcount[0]);
    532 
    533 	/* Final transform: */
    534 	SHA256Transform(context->state.st32, context->buffer);
    535 
    536 	/* Clean up: */
    537 	usedspace = 0;
    538 }
    539 
    540 void
    541 SHA256Final(uint8_t digest[SHA256_DIGEST_LENGTH], SHA2_CTX *context)
    542 {
    543 	SHA256Pad(context);
    544 
    545 #if BYTE_ORDER == LITTLE_ENDIAN
    546 	int	i;
    547 
    548 	/* Convert TO host byte order */
    549 	for (i = 0; i < 8; i++)
    550 		BE_32_TO_8(digest + i * 4, context->state.st32[i]);
    551 #else
    552 	memcpy(digest, context->state.st32, SHA256_DIGEST_LENGTH);
    553 #endif
    554 	explicit_bzero(context, sizeof(*context));
    555 }
    556 
    557 
    558 /*** SHA-512: *********************************************************/
    559 void
    560 SHA512Init(SHA2_CTX *context)
    561 {
    562 	memcpy(context->state.st64, sha512_initial_hash_value,
    563 	    sizeof(sha512_initial_hash_value));
    564 	memset(context->buffer, 0, sizeof(context->buffer));
    565 	context->bitcount[0] = context->bitcount[1] =  0;
    566 }
    567 
    568 #ifdef SHA2_UNROLL_TRANSFORM
    569 
    570 /* Unrolled SHA-512 round macros: */
    571 
    572 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do {				    \
    573 	BE_8_TO_64(W512[j], data);					    \
    574 	data += 8;							    \
    575 	T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
    576 	(d) += T1;							    \
    577 	(h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c));		    \
    578 	j++;								    \
    579 } while(0)
    580 
    581 
    582 #define ROUND512(a,b,c,d,e,f,g,h) do {					    \
    583 	s0 = W512[(j+1)&0x0f];						    \
    584 	s0 = sigma0_512(s0);						    \
    585 	s1 = W512[(j+14)&0x0f];						    \
    586 	s1 = sigma1_512(s1);						    \
    587 	T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] +	    \
    588              (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);		    \
    589 	(d) += T1;							    \
    590 	(h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c));		    \
    591 	j++;								    \
    592 } while(0)
    593 
    594 void
    595 SHA512Transform(uint64_t state[8], const uint8_t data[SHA512_BLOCK_LENGTH])
    596 {
    597 	uint64_t	a, b, c, d, e, f, g, h, s0, s1;
    598 	uint64_t	T1, W512[16];
    599 	int		j;
    600 
    601 	/* Initialize registers with the prev. intermediate value */
    602 	a = state[0];
    603 	b = state[1];
    604 	c = state[2];
    605 	d = state[3];
    606 	e = state[4];
    607 	f = state[5];
    608 	g = state[6];
    609 	h = state[7];
    610 
    611 	j = 0;
    612 	do {
    613 		/* Rounds 0 to 15 (unrolled): */
    614 		ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
    615 		ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
    616 		ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
    617 		ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
    618 		ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
    619 		ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
    620 		ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
    621 		ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
    622 	} while (j < 16);
    623 
    624 	/* Now for the remaining rounds up to 79: */
    625 	do {
    626 		ROUND512(a,b,c,d,e,f,g,h);
    627 		ROUND512(h,a,b,c,d,e,f,g);
    628 		ROUND512(g,h,a,b,c,d,e,f);
    629 		ROUND512(f,g,h,a,b,c,d,e);
    630 		ROUND512(e,f,g,h,a,b,c,d);
    631 		ROUND512(d,e,f,g,h,a,b,c);
    632 		ROUND512(c,d,e,f,g,h,a,b);
    633 		ROUND512(b,c,d,e,f,g,h,a);
    634 	} while (j < 80);
    635 
    636 	/* Compute the current intermediate hash value */
    637 	state[0] += a;
    638 	state[1] += b;
    639 	state[2] += c;
    640 	state[3] += d;
    641 	state[4] += e;
    642 	state[5] += f;
    643 	state[6] += g;
    644 	state[7] += h;
    645 
    646 	/* Clean up */
    647 	a = b = c = d = e = f = g = h = T1 = 0;
    648 }
    649 
    650 #else /* SHA2_UNROLL_TRANSFORM */
    651 
    652 void
    653 SHA512Transform(uint64_t state[8], const uint8_t data[SHA512_BLOCK_LENGTH])
    654 {
    655 	uint64_t	a, b, c, d, e, f, g, h, s0, s1;
    656 	uint64_t	T1, T2, W512[16];
    657 	int		j;
    658 
    659 	/* Initialize registers with the prev. intermediate value */
    660 	a = state[0];
    661 	b = state[1];
    662 	c = state[2];
    663 	d = state[3];
    664 	e = state[4];
    665 	f = state[5];
    666 	g = state[6];
    667 	h = state[7];
    668 
    669 	j = 0;
    670 	do {
    671 		BE_8_TO_64(W512[j], data);
    672 		data += 8;
    673 		/* Apply the SHA-512 compression function to update a..h */
    674 		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
    675 		T2 = Sigma0_512(a) + Maj(a, b, c);
    676 		h = g;
    677 		g = f;
    678 		f = e;
    679 		e = d + T1;
    680 		d = c;
    681 		c = b;
    682 		b = a;
    683 		a = T1 + T2;
    684 
    685 		j++;
    686 	} while (j < 16);
    687 
    688 	do {
    689 		/* Part of the message block expansion: */
    690 		s0 = W512[(j+1)&0x0f];
    691 		s0 = sigma0_512(s0);
    692 		s1 = W512[(j+14)&0x0f];
    693 		s1 =  sigma1_512(s1);
    694 
    695 		/* Apply the SHA-512 compression function to update a..h */
    696 		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
    697 		     (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
    698 		T2 = Sigma0_512(a) + Maj(a, b, c);
    699 		h = g;
    700 		g = f;
    701 		f = e;
    702 		e = d + T1;
    703 		d = c;
    704 		c = b;
    705 		b = a;
    706 		a = T1 + T2;
    707 
    708 		j++;
    709 	} while (j < 80);
    710 
    711 	/* Compute the current intermediate hash value */
    712 	state[0] += a;
    713 	state[1] += b;
    714 	state[2] += c;
    715 	state[3] += d;
    716 	state[4] += e;
    717 	state[5] += f;
    718 	state[6] += g;
    719 	state[7] += h;
    720 
    721 	/* Clean up */
    722 	a = b = c = d = e = f = g = h = T1 = T2 = 0;
    723 }
    724 
    725 #endif /* SHA2_UNROLL_TRANSFORM */
    726 
    727 void
    728 SHA512Update(SHA2_CTX *context, const uint8_t *data, size_t len)
    729 {
    730 	size_t	freespace, usedspace;
    731 
    732 	/* Calling with no data is valid (we do nothing) */
    733 	if (len == 0)
    734 		return;
    735 
    736 	usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
    737 	if (usedspace > 0) {
    738 		/* Calculate how much free space is available in the buffer */
    739 		freespace = SHA512_BLOCK_LENGTH - usedspace;
    740 
    741 		if (len >= freespace) {
    742 			/* Fill the buffer completely and process it */
    743 			memcpy(&context->buffer[usedspace], data, freespace);
    744 			ADDINC128(context->bitcount, freespace << 3);
    745 			len -= freespace;
    746 			data += freespace;
    747 			SHA512Transform(context->state.st64, context->buffer);
    748 		} else {
    749 			/* The buffer is not yet full */
    750 			memcpy(&context->buffer[usedspace], data, len);
    751 			ADDINC128(context->bitcount, len << 3);
    752 			/* Clean up: */
    753 			usedspace = freespace = 0;
    754 			return;
    755 		}
    756 	}
    757 	while (len >= SHA512_BLOCK_LENGTH) {
    758 		/* Process as many complete blocks as we can */
    759 		SHA512Transform(context->state.st64, data);
    760 		ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
    761 		len -= SHA512_BLOCK_LENGTH;
    762 		data += SHA512_BLOCK_LENGTH;
    763 	}
    764 	if (len > 0) {
    765 		/* There's left-overs, so save 'em */
    766 		memcpy(context->buffer, data, len);
    767 		ADDINC128(context->bitcount, len << 3);
    768 	}
    769 	/* Clean up: */
    770 	usedspace = freespace = 0;
    771 }
    772 
    773 void
    774 SHA512Pad(SHA2_CTX *context)
    775 {
    776 	unsigned int	usedspace;
    777 
    778 	usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
    779 	if (usedspace > 0) {
    780 		/* Begin padding with a 1 bit: */
    781 		context->buffer[usedspace++] = 0x80;
    782 
    783 		if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
    784 			/* Set-up for the last transform: */
    785 			memset(&context->buffer[usedspace], 0, SHA512_SHORT_BLOCK_LENGTH - usedspace);
    786 		} else {
    787 			if (usedspace < SHA512_BLOCK_LENGTH) {
    788 				memset(&context->buffer[usedspace], 0, SHA512_BLOCK_LENGTH - usedspace);
    789 			}
    790 			/* Do second-to-last transform: */
    791 			SHA512Transform(context->state.st64, context->buffer);
    792 
    793 			/* And set-up for the last transform: */
    794 			memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2);
    795 		}
    796 	} else {
    797 		/* Prepare for final transform: */
    798 		memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH);
    799 
    800 		/* Begin padding with a 1 bit: */
    801 		*context->buffer = 0x80;
    802 	}
    803 	/* Store the length of input data (in bits) in big endian format: */
    804 	BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH],
    805 	    context->bitcount[1]);
    806 	BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8],
    807 	    context->bitcount[0]);
    808 
    809 	/* Final transform: */
    810 	SHA512Transform(context->state.st64, context->buffer);
    811 
    812 	/* Clean up: */
    813 	usedspace = 0;
    814 }
    815 
    816 void
    817 SHA512Final(uint8_t digest[SHA512_DIGEST_LENGTH], SHA2_CTX *context)
    818 {
    819 	SHA512Pad(context);
    820 
    821 #if BYTE_ORDER == LITTLE_ENDIAN
    822 	int	i;
    823 
    824 	/* Convert TO host byte order */
    825 	for (i = 0; i < 8; i++)
    826 		BE_64_TO_8(digest + i * 8, context->state.st64[i]);
    827 #else
    828 	memcpy(digest, context->state.st64, SHA512_DIGEST_LENGTH);
    829 #endif
    830 	explicit_bzero(context, sizeof(*context));
    831 }