1
0

sha2.c 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609
  1. /*
  2. * FILE: sha2.c
  3. * AUTHOR: Aaron D. Gifford <[email protected]>
  4. *
  5. * Copyright (c) 2000-2001, Aaron D. Gifford
  6. * All rights reserved.
  7. *
  8. * Redistribution and use in source and binary forms, with or without
  9. * modification, are permitted provided that the following conditions
  10. * are met:
  11. * 1. Redistributions of source code must retain the above copyright
  12. * notice, this list of conditions and the following disclaimer.
  13. * 2. Redistributions in binary form must reproduce the above copyright
  14. * notice, this list of conditions and the following disclaimer in the
  15. * documentation and/or other materials provided with the distribution.
  16. * 3. Neither the name of the copyright holder nor the names of contributors
  17. * may be used to endorse or promote products derived from this software
  18. * without specific prior written permission.
  19. *
  20. * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
  21. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  22. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  23. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
  24. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  25. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  26. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  27. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  28. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  29. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  30. * SUCH DAMAGE.
  31. *
  32. */
  33. #include <string.h> /* memcpy()/memset() or bcopy()/bzero() */
  34. #include <assert.h> /* assert() */
  35. #include "sha2.h"
  36. /*
  37. * ASSERT NOTE:
  38. * Some sanity checking code is included using assert(). On my FreeBSD
  39. * system, this additional code can be removed by compiling with NDEBUG
  40. * defined. Check your own systems manpage on assert() to see how to
  41. * compile WITHOUT the sanity checking code on your system.
  42. *
  43. * UNROLLED TRANSFORM LOOP NOTE:
  44. * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
  45. * loop version for the hash transform rounds (defined using macros
  46. * later in this file). Either define on the command line, for example:
  47. *
  48. * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
  49. *
  50. * or define below:
  51. *
  52. * #define SHA2_UNROLL_TRANSFORM
  53. *
  54. */
  55. /*** SHA-256/384/512 Machine Architecture Definitions *****************/
  56. /*
  57. * BYTE_ORDER NOTE:
  58. *
  59. * Please make sure that your system defines BYTE_ORDER. If your
  60. * architecture is little-endian, make sure it also defines
  61. * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
  62. * equivilent.
  63. *
  64. * If your system does not define the above, then you can do so by
  65. * hand like this:
  66. *
  67. * #define LITTLE_ENDIAN 1234
  68. * #define BIG_ENDIAN 4321
  69. *
  70. * And for little-endian machines, add:
  71. *
  72. * #define BYTE_ORDER LITTLE_ENDIAN
  73. *
  74. * Or for big-endian machines:
  75. *
  76. * #define BYTE_ORDER BIG_ENDIAN
  77. *
  78. * The FreeBSD machine this was written on defines BYTE_ORDER
  79. * appropriately by including <sys/types.h> (which in turn includes
  80. * <machine/endian.h> where the appropriate definitions are actually
  81. * made).
  82. */
  83. #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
  84. #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
  85. #endif
  86. /*
  87. * Define the followingsha2_* types to types of the correct length on
  88. * the native archtecture. Most BSD systems and Linux define u_intXX_t
  89. * types. Machines with very recent ANSI C headers, can use the
  90. * uintXX_t definintions from inttypes.h by defining SHA2_USE_INTTYPES_H
  91. * during compile or in the sha.h header file.
  92. *
  93. * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t
  94. * will need to define these three typedefs below (and the appropriate
  95. * ones in sha.h too) by hand according to their system architecture.
  96. *
  97. * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t
  98. * types and pointing out recent ANSI C support for uintXX_t in inttypes.h.
  99. */
  100. #ifdef SHA2_USE_INTTYPES_H
  101. typedef uint8_t sha2_byte; /* Exactly 1 byte */
  102. typedef uint32_t sha2_word32; /* Exactly 4 bytes */
  103. typedef uint64_t sha2_word64; /* Exactly 8 bytes */
  104. #else /* SHA2_USE_INTTYPES_H */
  105. typedef u_int8_t sha2_byte; /* Exactly 1 byte */
  106. typedef u_int32_t sha2_word32; /* Exactly 4 bytes */
  107. typedef u_int64_t sha2_word64; /* Exactly 8 bytes */
  108. #endif /* SHA2_USE_INTTYPES_H */
  109. /*** SHA-256/384/512 Various Length Definitions ***********************/
  110. /* NOTE: Most of these are in sha2.h */
  111. #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
  112. #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
  113. #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
  114. /*** ENDIAN REVERSAL MACROS *******************************************/
  115. #if BYTE_ORDER == LITTLE_ENDIAN
  116. #define REVERSE32(w,x) { \
  117. sha2_word32 tmp = (w); \
  118. tmp = (tmp >> 16) | (tmp << 16); \
  119. (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
  120. }
  121. #ifdef WIN32
  122. #define REVERSE64(w,x) { \
  123. sha2_word64 tmp = (w); \
  124. tmp = (tmp >> 32) | (tmp << 32); \
  125. tmp = ((tmp & 0xff00ff00ff00ff00Ui64) >> 8) | \
  126. ((tmp & 0x00ff00ff00ff00ffUi64) << 8); \
  127. (x) = ((tmp & 0xffff0000ffff0000Ui64) >> 16) | \
  128. ((tmp & 0x0000ffff0000ffffUi64) << 16); \
  129. }
  130. #else
  131. #define REVERSE64(w,x) { \
  132. sha2_word64 tmp = (w); \
  133. tmp = (tmp >> 32) | (tmp << 32); \
  134. tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
  135. ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
  136. (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
  137. ((tmp & 0x0000ffff0000ffffULL) << 16); \
  138. }
  139. #endif /* WIN32 */
  140. #endif /* BYTE_ORDER == LITTLE_ENDIAN */
  141. /*
  142. * Macro for incrementally adding the unsigned 64-bit integer n to the
  143. * unsigned 128-bit integer (represented using a two-element array of
  144. * 64-bit words):
  145. */
  146. #define ADDINC128(w,n) { \
  147. (w)[0] += (sha2_word64)(n); \
  148. if ((w)[0] < (n)) { \
  149. (w)[1]++; \
  150. } \
  151. }
  152. /*
  153. * Macros for copying blocks of memory and for zeroing out ranges
  154. * of memory. Using these macros makes it easy to switch from
  155. * using memset()/memcpy() and using bzero()/bcopy().
  156. *
  157. * Please define either SHA2_USE_MEMSET_MEMCPY or define
  158. * SHA2_USE_BZERO_BCOPY depending on which function set you
  159. * choose to use:
  160. */
  161. #if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY)
  162. /* Default to memset()/memcpy() if no option is specified */
  163. #define SHA2_USE_MEMSET_MEMCPY 1
  164. #endif
  165. #if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY)
  166. /* Abort with an error if BOTH options are defined */
  167. #error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both!
  168. #endif
  169. #ifdef SHA2_USE_MEMSET_MEMCPY
  170. #define MEMSET_BZERO(p,l) memset((p), 0, (l))
  171. #define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l))
  172. #endif
  173. #ifdef SHA2_USE_BZERO_BCOPY
  174. #define MEMSET_BZERO(p,l) bzero((p), (l))
  175. #define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l))
  176. #endif
  177. /*** THE SIX LOGICAL FUNCTIONS ****************************************/
  178. /*
  179. * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
  180. *
  181. * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
  182. * S is a ROTATION) because the SHA-256/384/512 description document
  183. * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
  184. * same "backwards" definition.
  185. */
  186. /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
  187. #define R(b,x) ((x) >> (b))
  188. /* 32-bit Rotate-right (used in SHA-256): */
  189. #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
  190. /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
  191. #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
  192. /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
  193. #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
  194. #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
  195. /* Four of six logical functions used in SHA-256: */
  196. #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
  197. #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
  198. #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
  199. #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
  200. /* Four of six logical functions used in SHA-384 and SHA-512: */
  201. #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
  202. #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
  203. #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
  204. #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
  205. /*** INTERNAL FUNCTION PROTOTYPES *************************************/
  206. /* NOTE: These should not be accessed directly from outside this
  207. * library -- they are intended for private internal visibility/use
  208. * only.
  209. */
  210. void SHA512_Last(SHA512_CTX*);
  211. void SHA256_Transform(SHA256_CTX*, const sha2_word32*);
  212. void SHA512_Transform(SHA512_CTX*, const sha2_word64*);
  213. /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
  214. /* Hash constant words K for SHA-256: */
  215. const static sha2_word32 K256[64] = {
  216. 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
  217. 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
  218. 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
  219. 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
  220. 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
  221. 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
  222. 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
  223. 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
  224. 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
  225. 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
  226. 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
  227. 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
  228. 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
  229. 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
  230. 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
  231. 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
  232. };
  233. /* Initial hash value H for SHA-256: */
  234. const static sha2_word32 sha256_initial_hash_value[8] = {
  235. 0x6a09e667UL,
  236. 0xbb67ae85UL,
  237. 0x3c6ef372UL,
  238. 0xa54ff53aUL,
  239. 0x510e527fUL,
  240. 0x9b05688cUL,
  241. 0x1f83d9abUL,
  242. 0x5be0cd19UL
  243. };
  244. /*
  245. * Constant used by SHA256/384/512_End() functions for converting the
  246. * digest to a readable hexadecimal character string:
  247. */
  248. static const char *sha2_hex_digits = "0123456789abcdef";
  249. /*** SHA-256: *********************************************************/
  250. void SHA256_Init(SHA256_CTX* context) {
  251. if (context == (SHA256_CTX*)0) {
  252. return;
  253. }
  254. MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH);
  255. MEMSET_BZERO(context->buffer, SHA256_BLOCK_LENGTH);
  256. context->bitcount = 0;
  257. }
  258. #ifdef SHA2_UNROLL_TRANSFORM
  259. /* Unrolled SHA-256 round macros: */
  260. #if BYTE_ORDER == LITTLE_ENDIAN
  261. #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
  262. REVERSE32(*data++, W256[j]); \
  263. T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
  264. K256[j] + W256[j]; \
  265. (d) += T1; \
  266. (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
  267. j++
  268. #else /* BYTE_ORDER == LITTLE_ENDIAN */
  269. #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
  270. T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
  271. K256[j] + (W256[j] = *data++); \
  272. (d) += T1; \
  273. (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
  274. j++
  275. #endif /* BYTE_ORDER == LITTLE_ENDIAN */
  276. #define ROUND256(a,b,c,d,e,f,g,h) \
  277. s0 = W256[(j+1)&0x0f]; \
  278. s0 = sigma0_256(s0); \
  279. s1 = W256[(j+14)&0x0f]; \
  280. s1 = sigma1_256(s1); \
  281. T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
  282. (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
  283. (d) += T1; \
  284. (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
  285. j++
  286. void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
  287. sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
  288. sha2_word32 T1, *W256;
  289. int j;
  290. W256 = (sha2_word32*)context->buffer;
  291. /* Initialize registers with the prev. intermediate value */
  292. a = context->state[0];
  293. b = context->state[1];
  294. c = context->state[2];
  295. d = context->state[3];
  296. e = context->state[4];
  297. f = context->state[5];
  298. g = context->state[6];
  299. h = context->state[7];
  300. j = 0;
  301. do {
  302. /* Rounds 0 to 15 (unrolled): */
  303. ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
  304. ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
  305. ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
  306. ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
  307. ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
  308. ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
  309. ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
  310. ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
  311. } while (j < 16);
  312. /* Now for the remaining rounds to 64: */
  313. do {
  314. ROUND256(a,b,c,d,e,f,g,h);
  315. ROUND256(h,a,b,c,d,e,f,g);
  316. ROUND256(g,h,a,b,c,d,e,f);
  317. ROUND256(f,g,h,a,b,c,d,e);
  318. ROUND256(e,f,g,h,a,b,c,d);
  319. ROUND256(d,e,f,g,h,a,b,c);
  320. ROUND256(c,d,e,f,g,h,a,b);
  321. ROUND256(b,c,d,e,f,g,h,a);
  322. } while (j < 64);
  323. /* Compute the current intermediate hash value */
  324. context->state[0] += a;
  325. context->state[1] += b;
  326. context->state[2] += c;
  327. context->state[3] += d;
  328. context->state[4] += e;
  329. context->state[5] += f;
  330. context->state[6] += g;
  331. context->state[7] += h;
  332. /* Clean up */
  333. a = b = c = d = e = f = g = h = T1 = 0;
  334. }
  335. #else /* SHA2_UNROLL_TRANSFORM */
  336. void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
  337. sha2_word32 a, b, c, d, e, f, g, h;
  338. sha2_word32 T1, T2, *W256;
  339. int j;
  340. W256 = (sha2_word32*)context->buffer;
  341. /* Initialize registers with the prev. intermediate value */
  342. a = context->state[0];
  343. b = context->state[1];
  344. c = context->state[2];
  345. d = context->state[3];
  346. e = context->state[4];
  347. f = context->state[5];
  348. g = context->state[6];
  349. h = context->state[7];
  350. j = 0;
  351. do {
  352. #if BYTE_ORDER == LITTLE_ENDIAN
  353. /* Copy data while converting to host byte order */
  354. REVERSE32(*data++,W256[j]);
  355. /* Apply the SHA-256 compression function to update a..h */
  356. T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
  357. #else /* BYTE_ORDER == LITTLE_ENDIAN */
  358. /* Apply the SHA-256 compression function to update a..h with copy */
  359. T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
  360. #endif /* BYTE_ORDER == LITTLE_ENDIAN */
  361. T2 = Sigma0_256(a) + Maj(a, b, c);
  362. h = g;
  363. g = f;
  364. f = e;
  365. e = d + T1;
  366. d = c;
  367. c = b;
  368. b = a;
  369. a = T1 + T2;
  370. j++;
  371. } while (j < 16);
  372. do {
  373. sha2_word32 s0, s1;
  374. /* Part of the message block expansion: */
  375. s0 = W256[(j+1)&0x0f];
  376. s0 = sigma0_256(s0);
  377. s1 = W256[(j+14)&0x0f];
  378. s1 = sigma1_256(s1);
  379. /* Apply the SHA-256 compression function to update a..h */
  380. T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
  381. (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
  382. T2 = Sigma0_256(a) + Maj(a, b, c);
  383. h = g;
  384. g = f;
  385. f = e;
  386. e = d + T1;
  387. d = c;
  388. c = b;
  389. b = a;
  390. a = T1 + T2;
  391. j++;
  392. } while (j < 64);
  393. /* Compute the current intermediate hash value */
  394. context->state[0] += a;
  395. context->state[1] += b;
  396. context->state[2] += c;
  397. context->state[3] += d;
  398. context->state[4] += e;
  399. context->state[5] += f;
  400. context->state[6] += g;
  401. context->state[7] += h;
  402. /* Clean up */
  403. a = b = c = d = e = f = g = h = T1 = T2 = 0;
  404. }
  405. #endif /* SHA2_UNROLL_TRANSFORM */
  406. void SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) {
  407. unsigned int freespace, usedspace;
  408. if (len == 0) {
  409. /* Calling with no data is valid - we do nothing */
  410. return;
  411. }
  412. /* Sanity check: */
  413. assert(context != (SHA256_CTX*)0 && data != (sha2_byte*)0);
  414. usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
  415. if (usedspace > 0) {
  416. /* Calculate how much free space is available in the buffer */
  417. freespace = SHA256_BLOCK_LENGTH - usedspace;
  418. if (len >= freespace) {
  419. /* Fill the buffer completely and process it */
  420. MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
  421. context->bitcount += freespace << 3;
  422. len -= freespace;
  423. data += freespace;
  424. SHA256_Transform(context, (sha2_word32*)context->buffer);
  425. } else {
  426. /* The buffer is not yet full */
  427. MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
  428. context->bitcount += len << 3;
  429. /* Clean up: */
  430. usedspace = freespace = 0;
  431. return;
  432. }
  433. }
  434. while (len >= SHA256_BLOCK_LENGTH) {
  435. /* Process as many complete blocks as we can */
  436. SHA256_Transform(context, (sha2_word32*)data);
  437. context->bitcount += SHA256_BLOCK_LENGTH << 3;
  438. len -= SHA256_BLOCK_LENGTH;
  439. data += SHA256_BLOCK_LENGTH;
  440. }
  441. if (len > 0) {
  442. /* There's left-overs, so save 'em */
  443. MEMCPY_BCOPY(context->buffer, data, len);
  444. context->bitcount += len << 3;
  445. }
  446. /* Clean up: */
  447. usedspace = freespace = 0;
  448. }
  449. void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
  450. sha2_word32 *d = (sha2_word32*)digest;
  451. unsigned int usedspace;
  452. /* Sanity check: */
  453. assert(context != (SHA256_CTX*)0);
  454. /* If no digest buffer is passed, we don't bother doing this: */
  455. if (digest != (sha2_byte*)0) {
  456. usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
  457. #if BYTE_ORDER == LITTLE_ENDIAN
  458. /* Convert FROM host byte order */
  459. REVERSE64(context->bitcount,context->bitcount);
  460. #endif
  461. if (usedspace > 0) {
  462. /* Begin padding with a 1 bit: */
  463. context->buffer[usedspace++] = 0x80;
  464. if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
  465. /* Set-up for the last transform: */
  466. MEMSET_BZERO(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
  467. } else {
  468. if (usedspace < SHA256_BLOCK_LENGTH) {
  469. MEMSET_BZERO(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
  470. }
  471. /* Do second-to-last transform: */
  472. SHA256_Transform(context, (sha2_word32*)context->buffer);
  473. /* And set-up for the last transform: */
  474. MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
  475. }
  476. } else {
  477. /* Set-up for the last transform: */
  478. MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
  479. /* Begin padding with a 1 bit: */
  480. *context->buffer = 0x80;
  481. }
  482. /* Set the bit count: */
  483. *(sha2_word64*)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
  484. /* Final transform: */
  485. SHA256_Transform(context, (sha2_word32*)context->buffer);
  486. #if BYTE_ORDER == LITTLE_ENDIAN
  487. {
  488. /* Convert TO host byte order */
  489. int j;
  490. for (j = 0; j < 8; j++) {
  491. REVERSE32(context->state[j],context->state[j]);
  492. *d++ = context->state[j];
  493. }
  494. }
  495. #else
  496. MEMCPY_BCOPY(d, context->state, SHA256_DIGEST_LENGTH);
  497. #endif
  498. }
  499. /* Clean up state data: */
  500. MEMSET_BZERO(context, sizeof(context));
  501. usedspace = 0;
  502. }
  503. char *SHA256_End(SHA256_CTX* context, char buffer[]) {
  504. sha2_byte digest[SHA256_DIGEST_LENGTH], *d = digest;
  505. /* Sanity check: */
  506. assert(context != (SHA256_CTX*)0);
  507. if (buffer != (char*)0) {
  508. int i = 0;
  509. SHA256_Final(digest, context);
  510. for (; i < SHA256_DIGEST_LENGTH; i++) {
  511. *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
  512. *buffer++ = sha2_hex_digits[*d & 0x0f];
  513. d++;
  514. }
  515. *buffer = (char)0;
  516. } else {
  517. MEMSET_BZERO(context, sizeof(context));
  518. }
  519. MEMSET_BZERO(digest, SHA256_DIGEST_LENGTH);
  520. return buffer;
  521. }
  522. char* SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) {
  523. SHA256_CTX context;
  524. SHA256_Init(&context);
  525. SHA256_Update(&context, data, len);
  526. return SHA256_End(&context, digest);
  527. }