sha2.c (18660B)
1 /* 2 * FILE: sha2.c 3 * AUTHOR: Aaron D. Gifford <me@aarongifford.com> 4 * 5 * Copyright (c) 2000-2001, Aaron D. Gifford 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the copyright holder nor the names of contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 #include <string.h> /* memcpy()/memset() or bcopy()/bzero() */ 34 #include <assert.h> /* assert() */ 35 36 #include "libvx32/words.h" // XXX 37 #ifndef BYTE_ORDER 38 #define BYTE_ORDER LITTLE_ENDIAN // XXX 39 #endif 40 41 #include "sha2.h" 42 43 44 /* 45 * ASSERT NOTE: 46 * Some sanity checking code is included using assert(). On my FreeBSD 47 * system, this additional code can be removed by compiling with NDEBUG 48 * defined. Check your own systems manpage on assert() to see how to 49 * compile WITHOUT the sanity checking code on your system. 50 * 51 * UNROLLED TRANSFORM LOOP NOTE: 52 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform 53 * loop version for the hash transform rounds (defined using macros 54 * later in this file). Either define on the command line, for example: 55 * 56 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c 57 * 58 * or define below: 59 * 60 * #define SHA2_UNROLL_TRANSFORM 61 * 62 */ 63 64 65 /*** SHA-256/384/512 Machine Architecture Definitions *****************/ 66 /* 67 * BYTE_ORDER NOTE: 68 * 69 * Please make sure that your system defines BYTE_ORDER. If your 70 * architecture is little-endian, make sure it also defines 71 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are 72 * equivilent. 73 * 74 * If your system does not define the above, then you can do so by 75 * hand like this: 76 * 77 * #define LITTLE_ENDIAN 1234 78 * #define BIG_ENDIAN 4321 79 * 80 * And for little-endian machines, add: 81 * 82 * #define BYTE_ORDER LITTLE_ENDIAN 83 * 84 * Or for big-endian machines: 85 * 86 * #define BYTE_ORDER BIG_ENDIAN 87 * 88 * The FreeBSD machine this was written on defines BYTE_ORDER 89 * appropriately by including <sys/types.h> (which in turn includes 90 * <machine/endian.h> where the appropriate definitions are actually 91 * made). 92 */ 93 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) 94 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN 95 #endif 96 97 /* 98 * Define the followingsha2_* types to types of the correct length on 99 * the native archtecture. Most BSD systems and Linux define u_intXX_t 100 * types. Machines with very recent ANSI C headers, can use the 101 * uintXX_t definintions from inttypes.h by defining SHA2_USE_INTTYPES_H 102 * during compile or in the sha.h header file. 103 * 104 * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t 105 * will need to define these three typedefs below (and the appropriate 106 * ones in sha.h too) by hand according to their system architecture. 107 * 108 * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t 109 * types and pointing out recent ANSI C support for uintXX_t in inttypes.h. 110 */ 111 112 typedef uint8_t sha2_byte; /* Exactly 1 byte */ 113 typedef uint32_t sha2_word32; /* Exactly 4 bytes */ 114 typedef uint64_t sha2_word64; /* Exactly 8 bytes */ 115 116 117 /*** SHA-256/384/512 Various Length Definitions ***********************/ 118 /* NOTE: Most of these are in sha2.h */ 119 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) 120 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) 121 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) 122 123 124 /* 125 * Macro for incrementally adding the unsigned 64-bit integer n to the 126 * unsigned 128-bit integer (represented using a two-element array of 127 * 64-bit words): 128 */ 129 #define ADDINC128(w,n) { \ 130 (w)[0] += (sha2_word64)(n); \ 131 if ((w)[0] < (n)) { \ 132 (w)[1]++; \ 133 } \ 134 } 135 136 /* 137 * Macros for copying blocks of memory and for zeroing out ranges 138 * of memory. Using these macros makes it easy to switch from 139 * using memset()/memcpy() and using bzero()/bcopy(). 140 * 141 * Please define either SHA2_USE_MEMSET_MEMCPY or define 142 * SHA2_USE_BZERO_BCOPY depending on which function set you 143 * choose to use: 144 */ 145 #if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY) 146 /* Default to memset()/memcpy() if no option is specified */ 147 #define SHA2_USE_MEMSET_MEMCPY 1 148 #endif 149 #if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY) 150 /* Abort with an error if BOTH options are defined */ 151 #error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both! 152 #endif 153 154 #ifdef SHA2_USE_MEMSET_MEMCPY 155 #define MEMSET_BZERO(p,l) memset((p), 0, (l)) 156 #define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l)) 157 #endif 158 #ifdef SHA2_USE_BZERO_BCOPY 159 #define MEMSET_BZERO(p,l) bzero((p), (l)) 160 #define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l)) 161 #endif 162 163 164 /*** THE SIX LOGICAL FUNCTIONS ****************************************/ 165 /* 166 * Bit shifting and rotation (used by the six SHA-XYZ logical functions: 167 * 168 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and 169 * S is a ROTATION) because the SHA-256/384/512 description document 170 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this 171 * same "backwards" definition. 172 */ 173 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ 174 #define R(b,x) ((x) >> (b)) 175 /* 32-bit Rotate-right (used in SHA-256): */ 176 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) 177 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ 178 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) 179 180 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ 181 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 182 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 183 184 /* Four of six logical functions used in SHA-256: */ 185 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) 186 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) 187 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) 188 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) 189 190 /* Four of six logical functions used in SHA-384 and SHA-512: */ 191 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) 192 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) 193 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) 194 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) 195 196 197 /*** INTERNAL FUNCTION PROTOTYPES *************************************/ 198 /* NOTE: These should not be accessed directly from outside this 199 * library -- they are intended for private internal visibility/use 200 * only. 201 */ 202 void SHA512_Last(SHA512_CTX*); 203 void SHA512_Transform(SHA512_CTX*, const sha2_word64*); 204 205 206 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ 207 208 /* Hash constant words K for SHA-384 and SHA-512: */ 209 const static sha2_word64 K512[80] = { 210 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 211 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 212 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 213 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 214 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 215 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 216 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 217 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 218 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 219 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 220 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 221 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 222 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 223 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 224 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 225 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 226 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 227 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 228 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 229 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 230 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 231 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 232 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 233 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 234 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 235 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 236 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 237 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 238 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 239 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 240 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 241 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 242 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 243 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 244 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 245 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 246 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 247 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 248 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 249 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 250 }; 251 252 /* Initial hash value H for SHA-384 */ 253 const static sha2_word64 sha384_initial_hash_value[8] = { 254 0xcbbb9d5dc1059ed8ULL, 255 0x629a292a367cd507ULL, 256 0x9159015a3070dd17ULL, 257 0x152fecd8f70e5939ULL, 258 0x67332667ffc00b31ULL, 259 0x8eb44a8768581511ULL, 260 0xdb0c2e0d64f98fa7ULL, 261 0x47b5481dbefa4fa4ULL 262 }; 263 264 /* Initial hash value H for SHA-512 */ 265 const static sha2_word64 sha512_initial_hash_value[8] = { 266 0x6a09e667f3bcc908ULL, 267 0xbb67ae8584caa73bULL, 268 0x3c6ef372fe94f82bULL, 269 0xa54ff53a5f1d36f1ULL, 270 0x510e527fade682d1ULL, 271 0x9b05688c2b3e6c1fULL, 272 0x1f83d9abfb41bd6bULL, 273 0x5be0cd19137e2179ULL 274 }; 275 276 277 /*** SHA-512: *********************************************************/ 278 void SHA512_Init(SHA512_CTX* context) { 279 if (context == (SHA512_CTX*)0) { 280 return; 281 } 282 MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH); 283 MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH); 284 context->bitcount[0] = context->bitcount[1] = 0; 285 } 286 287 #ifdef SHA2_UNROLL_TRANSFORM 288 289 /* Unrolled SHA-512 round macros: */ 290 291 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ 292 W512[j] = btoh64(*data++); \ 293 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ 294 K512[j] + W512[j]; \ 295 (d) += T1, \ 296 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \ 297 j++ 298 299 #define ROUND512(a,b,c,d,e,f,g,h) \ 300 s0 = W512[(j+1)&0x0f]; \ 301 s0 = sigma0_512(s0); \ 302 s1 = W512[(j+14)&0x0f]; \ 303 s1 = sigma1_512(s1); \ 304 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \ 305 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ 306 (d) += T1; \ 307 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ 308 j++ 309 310 void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) { 311 sha2_word64 a, b, c, d, e, f, g, h, s0, s1; 312 sha2_word64 T1, *W512 = (sha2_word64*)context->buffer; 313 int j; 314 315 /* Initialize registers with the prev. intermediate value */ 316 a = context->state[0]; 317 b = context->state[1]; 318 c = context->state[2]; 319 d = context->state[3]; 320 e = context->state[4]; 321 f = context->state[5]; 322 g = context->state[6]; 323 h = context->state[7]; 324 325 j = 0; 326 do { 327 ROUND512_0_TO_15(a,b,c,d,e,f,g,h); 328 ROUND512_0_TO_15(h,a,b,c,d,e,f,g); 329 ROUND512_0_TO_15(g,h,a,b,c,d,e,f); 330 ROUND512_0_TO_15(f,g,h,a,b,c,d,e); 331 ROUND512_0_TO_15(e,f,g,h,a,b,c,d); 332 ROUND512_0_TO_15(d,e,f,g,h,a,b,c); 333 ROUND512_0_TO_15(c,d,e,f,g,h,a,b); 334 ROUND512_0_TO_15(b,c,d,e,f,g,h,a); 335 } while (j < 16); 336 337 /* Now for the remaining rounds up to 79: */ 338 do { 339 ROUND512(a,b,c,d,e,f,g,h); 340 ROUND512(h,a,b,c,d,e,f,g); 341 ROUND512(g,h,a,b,c,d,e,f); 342 ROUND512(f,g,h,a,b,c,d,e); 343 ROUND512(e,f,g,h,a,b,c,d); 344 ROUND512(d,e,f,g,h,a,b,c); 345 ROUND512(c,d,e,f,g,h,a,b); 346 ROUND512(b,c,d,e,f,g,h,a); 347 } while (j < 80); 348 349 /* Compute the current intermediate hash value */ 350 context->state[0] += a; 351 context->state[1] += b; 352 context->state[2] += c; 353 context->state[3] += d; 354 context->state[4] += e; 355 context->state[5] += f; 356 context->state[6] += g; 357 context->state[7] += h; 358 359 /* Clean up */ 360 a = b = c = d = e = f = g = h = T1 = 0; 361 } 362 363 #else /* SHA2_UNROLL_TRANSFORM */ 364 365 void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) { 366 sha2_word64 a, b, c, d, e, f, g, h, s0, s1; 367 sha2_word64 T1, T2, *W512 = (sha2_word64*)context->buffer; 368 int j; 369 370 /* Initialize registers with the prev. intermediate value */ 371 a = context->state[0]; 372 b = context->state[1]; 373 c = context->state[2]; 374 d = context->state[3]; 375 e = context->state[4]; 376 f = context->state[5]; 377 g = context->state[6]; 378 h = context->state[7]; 379 380 j = 0; 381 do { 382 /* Convert TO host byte order */ 383 W512[j] = btoh64(*data++); 384 385 /* Apply the SHA-512 compression function to update a..h */ 386 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; 387 T2 = Sigma0_512(a) + Maj(a, b, c); 388 h = g; 389 g = f; 390 f = e; 391 e = d + T1; 392 d = c; 393 c = b; 394 b = a; 395 a = T1 + T2; 396 397 j++; 398 } while (j < 16); 399 400 do { 401 /* Part of the message block expansion: */ 402 s0 = W512[(j+1)&0x0f]; 403 s0 = sigma0_512(s0); 404 s1 = W512[(j+14)&0x0f]; 405 s1 = sigma1_512(s1); 406 407 /* Apply the SHA-512 compression function to update a..h */ 408 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + 409 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); 410 T2 = Sigma0_512(a) + Maj(a, b, c); 411 h = g; 412 g = f; 413 f = e; 414 e = d + T1; 415 d = c; 416 c = b; 417 b = a; 418 a = T1 + T2; 419 420 j++; 421 } while (j < 80); 422 423 /* Compute the current intermediate hash value */ 424 context->state[0] += a; 425 context->state[1] += b; 426 context->state[2] += c; 427 context->state[3] += d; 428 context->state[4] += e; 429 context->state[5] += f; 430 context->state[6] += g; 431 context->state[7] += h; 432 433 /* Clean up */ 434 a = b = c = d = e = f = g = h = T1 = T2 = 0; 435 } 436 437 #endif /* SHA2_UNROLL_TRANSFORM */ 438 439 void SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) { 440 unsigned int freespace, usedspace; 441 442 if (len == 0) { 443 /* Calling with no data is valid - we do nothing */ 444 return; 445 } 446 447 /* Sanity check: */ 448 assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0); 449 450 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; 451 if (usedspace > 0) { 452 /* Calculate how much free space is available in the buffer */ 453 freespace = SHA512_BLOCK_LENGTH - usedspace; 454 455 if (len >= freespace) { 456 /* Fill the buffer completely and process it */ 457 MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace); 458 ADDINC128(context->bitcount, freespace << 3); 459 len -= freespace; 460 data += freespace; 461 SHA512_Transform(context, (sha2_word64*)context->buffer); 462 } else { 463 /* The buffer is not yet full */ 464 MEMCPY_BCOPY(&context->buffer[usedspace], data, len); 465 ADDINC128(context->bitcount, len << 3); 466 /* Clean up: */ 467 usedspace = freespace = 0; 468 return; 469 } 470 } 471 while (len >= SHA512_BLOCK_LENGTH) { 472 /* Process as many complete blocks as we can */ 473 SHA512_Transform(context, (sha2_word64*)data); 474 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 475 len -= SHA512_BLOCK_LENGTH; 476 data += SHA512_BLOCK_LENGTH; 477 } 478 if (len > 0) { 479 /* There's left-overs, so save 'em */ 480 MEMCPY_BCOPY(context->buffer, data, len); 481 ADDINC128(context->bitcount, len << 3); 482 } 483 /* Clean up: */ 484 usedspace = freespace = 0; 485 } 486 487 void SHA512_Last(SHA512_CTX* context) { 488 unsigned int usedspace; 489 490 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; 491 492 /* Convert FROM host byte order */ 493 context->bitcount[0] = htob64(context->bitcount[0]); 494 context->bitcount[1] = htob64(context->bitcount[1]); 495 496 /* Begin padding with a 1 bit: */ 497 context->buffer[usedspace++] = 0x80; 498 499 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { 500 501 /* Set-up for the last transform: */ 502 MEMSET_BZERO(&context->buffer[usedspace], 503 SHA512_SHORT_BLOCK_LENGTH - usedspace); 504 } else { 505 MEMSET_BZERO(&context->buffer[usedspace], 506 SHA512_BLOCK_LENGTH - usedspace); 507 508 /* Do second-to-last transform: */ 509 SHA512_Transform(context, (sha2_word64*)context->buffer); 510 511 /* And set-up for the last transform: */ 512 MEMSET_BZERO(context->buffer, SHA512_SHORT_BLOCK_LENGTH); 513 } 514 515 /* Store the length of input data (in bits): */ 516 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = 517 context->bitcount[1]; 518 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = 519 context->bitcount[0]; 520 521 /* Final transform: */ 522 SHA512_Transform(context, (sha2_word64*)context->buffer); 523 } 524 525 void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) { 526 sha2_word64 *d = (sha2_word64*)digest; 527 528 /* Sanity check: */ 529 assert(context != (SHA512_CTX*)0); 530 531 /* If no digest buffer is passed, we don't bother doing this: */ 532 if (digest != (sha2_byte*)0) { 533 SHA512_Last(context); 534 535 /* Save the hash data for output: */ 536 /* Convert FROM host byte order */ 537 for (int j = 0; j < 8; j++) { 538 *d++ = htob64(context->state[j]); 539 } 540 } 541 542 /* Zero out state data */ 543 MEMSET_BZERO(context, sizeof(context)); 544 } 545 546 547 /*** SHA-384: *********************************************************/ 548 void SHA384_Init(SHA384_CTX* context) { 549 if (context == (SHA384_CTX*)0) { 550 return; 551 } 552 MEMCPY_BCOPY(context->state, sha384_initial_hash_value, SHA512_DIGEST_LENGTH); 553 MEMSET_BZERO(context->buffer, SHA384_BLOCK_LENGTH); 554 context->bitcount[0] = context->bitcount[1] = 0; 555 } 556 557 void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) { 558 SHA512_Update((SHA512_CTX*)context, data, len); 559 } 560 561 void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) { 562 sha2_word64 *d = (sha2_word64*)digest; 563 564 /* Sanity check: */ 565 assert(context != (SHA384_CTX*)0); 566 567 /* If no digest buffer is passed, we don't bother doing this: */ 568 if (digest != (sha2_byte*)0) { 569 SHA512_Last((SHA512_CTX*)context); 570 571 /* Save the hash data for output */ 572 for (int j = 0; j < 6; j++) { 573 *d++ = htob64(context->state[j]); 574 } 575 } 576 577 /* Zero out state data */ 578 MEMSET_BZERO(context, sizeof(context)); 579 } 580 581 void SHA384(const sha2_byte* data, size_t len, 582 char digest[SHA384_DIGEST_LENGTH]) { 583 SHA384_CTX context; 584 585 SHA384_Init(&context); 586 SHA384_Update(&context, data, len); 587 SHA384_Final(digest, &context); 588 } 589