1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * AUTHOR: Aaron D. Gifford <me@aarongifford.com>
20 * A licence was granted to the ASF by Aaron on 4 November 2003.
23 #include <string.h> /* memcpy()/memset() or bcopy()/bzero() */
24 #include <assert.h> /* assert() */
29 * Some sanity checking code is included using assert(). On my FreeBSD
30 * system, this additional code can be removed by compiling with NDEBUG
31 * defined. Check your own systems manpage on assert() to see how to
32 * compile WITHOUT the sanity checking code on your system.
34 * UNROLLED TRANSFORM LOOP NOTE:
35 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
36 * loop version for the hash transform rounds (defined using macros
37 * later in this file). Either define on the command line, for example:
39 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
43 * #define SHA2_UNROLL_TRANSFORM
47 /*** SHA-256/384/512 Machine Architecture Definitions *****************/
48 typedef apr_byte_t sha2_byte; /* Exactly 1 byte */
49 typedef apr_uint32_t sha2_word32; /* Exactly 4 bytes */
50 typedef apr_uint64_t sha2_word64; /* Exactly 8 bytes */
52 /*** SHA-256/384/512 Various Length Definitions ***********************/
53 /* NOTE: Most of these are in sha2.h */
54 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
55 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
56 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
59 /*** ENDIAN REVERSAL MACROS *******************************************/
61 #define REVERSE32(w,x) { \
62 sha2_word32 tmp = (w); \
63 tmp = (tmp >> 16) | (tmp << 16); \
64 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
66 #define REVERSE64(w,x) { \
67 sha2_word64 tmp = (w); \
68 tmp = (tmp >> 32) | (tmp << 32); \
69 tmp = ((tmp & APR_UINT64_C(0xff00ff00ff00ff00)) >> 8) | \
70 ((tmp & APR_UINT64_C(0x00ff00ff00ff00ff)) << 8); \
71 (x) = ((tmp & APR_UINT64_C(0xffff0000ffff0000)) >> 16) | \
72 ((tmp & APR_UINT64_C(0x0000ffff0000ffff)) << 16); \
74 #endif /* !APR_IS_BIGENDIAN */
77 * Macro for incrementally adding the unsigned 64-bit integer n to the
78 * unsigned 128-bit integer (represented using a two-element array of
81 #define ADDINC128(w,n) { \
82 (w)[0] += (sha2_word64)(n); \
89 * Macros for copying blocks of memory and for zeroing out ranges
90 * of memory. Using these macros makes it easy to switch from
91 * using memset()/memcpy() and using bzero()/bcopy().
93 * Please define either SHA2_USE_MEMSET_MEMCPY or define
94 * SHA2_USE_BZERO_BCOPY depending on which function set you
97 #if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY)
98 /* Default to memset()/memcpy() if no option is specified */
99 #define SHA2_USE_MEMSET_MEMCPY 1
101 #if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY)
102 /* Abort with an error if BOTH options are defined */
103 #error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both!
106 #ifdef SHA2_USE_MEMSET_MEMCPY
107 #define MEMSET_BZERO(p,l) memset((p), 0, (l))
108 #define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l))
110 #ifdef SHA2_USE_BZERO_BCOPY
111 #define MEMSET_BZERO(p,l) bzero((p), (l))
112 #define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l))
116 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
118 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
120 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
121 * S is a ROTATION) because the SHA-256/384/512 description document
122 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
123 * same "backwards" definition.
125 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
126 #define R(b,x) ((x) >> (b))
127 /* 32-bit Rotate-right (used in SHA-256): */
128 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
129 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
130 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
132 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
133 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
134 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
136 /* Four of six logical functions used in SHA-256: */
137 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
138 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
139 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
140 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
142 /* Four of six logical functions used in SHA-384 and SHA-512: */
143 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
144 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
145 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
146 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
148 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
149 /* NOTE: These should not be accessed directly from outside this
150 * library -- they are intended for private internal visibility/use
153 void apr__SHA512_Last(SHA512_CTX*);
154 void apr__SHA256_Transform(SHA256_CTX*, const sha2_word32*);
155 void apr__SHA512_Transform(SHA512_CTX*, const sha2_word64*);
158 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
159 /* Hash constant words K for SHA-256: */
160 static const sha2_word32 K256[64] = {
161 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
162 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
163 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
164 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
165 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
166 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
167 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
168 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
169 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
170 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
171 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
172 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
173 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
174 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
175 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
176 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
179 /* Initial hash value H for SHA-256: */
180 static const sha2_word32 sha256_initial_hash_value[8] = {
191 /* Hash constant words K for SHA-384 and SHA-512: */
192 static const sha2_word64 K512[80] = {
193 APR_UINT64_C(0x428a2f98d728ae22), APR_UINT64_C(0x7137449123ef65cd),
194 APR_UINT64_C(0xb5c0fbcfec4d3b2f), APR_UINT64_C(0xe9b5dba58189dbbc),
195 APR_UINT64_C(0x3956c25bf348b538), APR_UINT64_C(0x59f111f1b605d019),
196 APR_UINT64_C(0x923f82a4af194f9b), APR_UINT64_C(0xab1c5ed5da6d8118),
197 APR_UINT64_C(0xd807aa98a3030242), APR_UINT64_C(0x12835b0145706fbe),
198 APR_UINT64_C(0x243185be4ee4b28c), APR_UINT64_C(0x550c7dc3d5ffb4e2),
199 APR_UINT64_C(0x72be5d74f27b896f), APR_UINT64_C(0x80deb1fe3b1696b1),
200 APR_UINT64_C(0x9bdc06a725c71235), APR_UINT64_C(0xc19bf174cf692694),
201 APR_UINT64_C(0xe49b69c19ef14ad2), APR_UINT64_C(0xefbe4786384f25e3),
202 APR_UINT64_C(0x0fc19dc68b8cd5b5), APR_UINT64_C(0x240ca1cc77ac9c65),
203 APR_UINT64_C(0x2de92c6f592b0275), APR_UINT64_C(0x4a7484aa6ea6e483),
204 APR_UINT64_C(0x5cb0a9dcbd41fbd4), APR_UINT64_C(0x76f988da831153b5),
205 APR_UINT64_C(0x983e5152ee66dfab), APR_UINT64_C(0xa831c66d2db43210),
206 APR_UINT64_C(0xb00327c898fb213f), APR_UINT64_C(0xbf597fc7beef0ee4),
207 APR_UINT64_C(0xc6e00bf33da88fc2), APR_UINT64_C(0xd5a79147930aa725),
208 APR_UINT64_C(0x06ca6351e003826f), APR_UINT64_C(0x142929670a0e6e70),
209 APR_UINT64_C(0x27b70a8546d22ffc), APR_UINT64_C(0x2e1b21385c26c926),
210 APR_UINT64_C(0x4d2c6dfc5ac42aed), APR_UINT64_C(0x53380d139d95b3df),
211 APR_UINT64_C(0x650a73548baf63de), APR_UINT64_C(0x766a0abb3c77b2a8),
212 APR_UINT64_C(0x81c2c92e47edaee6), APR_UINT64_C(0x92722c851482353b),
213 APR_UINT64_C(0xa2bfe8a14cf10364), APR_UINT64_C(0xa81a664bbc423001),
214 APR_UINT64_C(0xc24b8b70d0f89791), APR_UINT64_C(0xc76c51a30654be30),
215 APR_UINT64_C(0xd192e819d6ef5218), APR_UINT64_C(0xd69906245565a910),
216 APR_UINT64_C(0xf40e35855771202a), APR_UINT64_C(0x106aa07032bbd1b8),
217 APR_UINT64_C(0x19a4c116b8d2d0c8), APR_UINT64_C(0x1e376c085141ab53),
218 APR_UINT64_C(0x2748774cdf8eeb99), APR_UINT64_C(0x34b0bcb5e19b48a8),
219 APR_UINT64_C(0x391c0cb3c5c95a63), APR_UINT64_C(0x4ed8aa4ae3418acb),
220 APR_UINT64_C(0x5b9cca4f7763e373), APR_UINT64_C(0x682e6ff3d6b2b8a3),
221 APR_UINT64_C(0x748f82ee5defb2fc), APR_UINT64_C(0x78a5636f43172f60),
222 APR_UINT64_C(0x84c87814a1f0ab72), APR_UINT64_C(0x8cc702081a6439ec),
223 APR_UINT64_C(0x90befffa23631e28), APR_UINT64_C(0xa4506cebde82bde9),
224 APR_UINT64_C(0xbef9a3f7b2c67915), APR_UINT64_C(0xc67178f2e372532b),
225 APR_UINT64_C(0xca273eceea26619c), APR_UINT64_C(0xd186b8c721c0c207),
226 APR_UINT64_C(0xeada7dd6cde0eb1e), APR_UINT64_C(0xf57d4f7fee6ed178),
227 APR_UINT64_C(0x06f067aa72176fba), APR_UINT64_C(0x0a637dc5a2c898a6),
228 APR_UINT64_C(0x113f9804bef90dae), APR_UINT64_C(0x1b710b35131c471b),
229 APR_UINT64_C(0x28db77f523047d84), APR_UINT64_C(0x32caab7b40c72493),
230 APR_UINT64_C(0x3c9ebe0a15c9bebc), APR_UINT64_C(0x431d67c49c100d4c),
231 APR_UINT64_C(0x4cc5d4becb3e42b6), APR_UINT64_C(0x597f299cfc657e2a),
232 APR_UINT64_C(0x5fcb6fab3ad6faec), APR_UINT64_C(0x6c44198c4a475817)
235 /* Initial hash value H for SHA-384 */
236 static const sha2_word64 sha384_initial_hash_value[8] = {
237 APR_UINT64_C(0xcbbb9d5dc1059ed8),
238 APR_UINT64_C(0x629a292a367cd507),
239 APR_UINT64_C(0x9159015a3070dd17),
240 APR_UINT64_C(0x152fecd8f70e5939),
241 APR_UINT64_C(0x67332667ffc00b31),
242 APR_UINT64_C(0x8eb44a8768581511),
243 APR_UINT64_C(0xdb0c2e0d64f98fa7),
244 APR_UINT64_C(0x47b5481dbefa4fa4)
247 /* Initial hash value H for SHA-512 */
248 static const sha2_word64 sha512_initial_hash_value[8] = {
249 APR_UINT64_C(0x6a09e667f3bcc908),
250 APR_UINT64_C(0xbb67ae8584caa73b),
251 APR_UINT64_C(0x3c6ef372fe94f82b),
252 APR_UINT64_C(0xa54ff53a5f1d36f1),
253 APR_UINT64_C(0x510e527fade682d1),
254 APR_UINT64_C(0x9b05688c2b3e6c1f),
255 APR_UINT64_C(0x1f83d9abfb41bd6b),
256 APR_UINT64_C(0x5be0cd19137e2179)
260 * Constant used by SHA256/384/512_End() functions for converting the
261 * digest to a readable hexadecimal character string:
263 static const char *sha2_hex_digits = "0123456789abcdef";
266 /*** SHA-256: *********************************************************/
267 void apr__SHA256_Init(SHA256_CTX* context) {
268 if (context == (SHA256_CTX*)0) {
271 MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH);
272 MEMSET_BZERO(context->buffer, SHA256_BLOCK_LENGTH);
273 context->bitcount = 0;
276 #ifdef SHA2_UNROLL_TRANSFORM
278 /* Unrolled SHA-256 round macros: */
280 #if !APR_IS_BIGENDIAN
282 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
283 REVERSE32(*data++, W256[j]); \
284 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
287 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
291 #else /* APR_IS_BIGENDIAN */
293 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
294 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
295 K256[j] + (W256[j] = *data++); \
297 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
300 #endif /* APR_IS_BIGENDIAN */
302 #define ROUND256(a,b,c,d,e,f,g,h) \
303 s0 = W256[(j+1)&0x0f]; \
304 s0 = sigma0_256(s0); \
305 s1 = W256[(j+14)&0x0f]; \
306 s1 = sigma1_256(s1); \
307 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
308 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
310 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
313 void apr__SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
314 sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
315 sha2_word32 T1, *W256;
318 W256 = (sha2_word32*)context->buffer;
320 /* Initialize registers with the prev. intermediate value */
321 a = context->state[0];
322 b = context->state[1];
323 c = context->state[2];
324 d = context->state[3];
325 e = context->state[4];
326 f = context->state[5];
327 g = context->state[6];
328 h = context->state[7];
332 /* Rounds 0 to 15 (unrolled): */
333 ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
334 ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
335 ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
336 ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
337 ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
338 ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
339 ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
340 ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
343 /* Now for the remaining rounds to 64: */
345 ROUND256(a,b,c,d,e,f,g,h);
346 ROUND256(h,a,b,c,d,e,f,g);
347 ROUND256(g,h,a,b,c,d,e,f);
348 ROUND256(f,g,h,a,b,c,d,e);
349 ROUND256(e,f,g,h,a,b,c,d);
350 ROUND256(d,e,f,g,h,a,b,c);
351 ROUND256(c,d,e,f,g,h,a,b);
352 ROUND256(b,c,d,e,f,g,h,a);
355 /* Compute the current intermediate hash value */
356 context->state[0] += a;
357 context->state[1] += b;
358 context->state[2] += c;
359 context->state[3] += d;
360 context->state[4] += e;
361 context->state[5] += f;
362 context->state[6] += g;
363 context->state[7] += h;
366 a = b = c = d = e = f = g = h = T1 = 0;
369 #else /* SHA2_UNROLL_TRANSFORM */
371 void apr__SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
372 sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
373 sha2_word32 T1, T2, *W256;
376 W256 = (sha2_word32*)context->buffer;
378 /* Initialize registers with the prev. intermediate value */
379 a = context->state[0];
380 b = context->state[1];
381 c = context->state[2];
382 d = context->state[3];
383 e = context->state[4];
384 f = context->state[5];
385 g = context->state[6];
386 h = context->state[7];
390 #if !APR_IS_BIGENDIAN
391 /* Copy data while converting to host byte order */
392 REVERSE32(*data++,W256[j]);
393 /* Apply the SHA-256 compression function to update a..h */
394 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
395 #else /* APR_IS_BIGENDIAN */
396 /* Apply the SHA-256 compression function to update a..h with copy */
397 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
398 #endif /* APR_IS_BIGENDIAN */
399 T2 = Sigma0_256(a) + Maj(a, b, c);
413 /* Part of the message block expansion: */
414 s0 = W256[(j+1)&0x0f];
416 s1 = W256[(j+14)&0x0f];
419 /* Apply the SHA-256 compression function to update a..h */
420 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
421 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
422 T2 = Sigma0_256(a) + Maj(a, b, c);
435 /* Compute the current intermediate hash value */
436 context->state[0] += a;
437 context->state[1] += b;
438 context->state[2] += c;
439 context->state[3] += d;
440 context->state[4] += e;
441 context->state[5] += f;
442 context->state[6] += g;
443 context->state[7] += h;
446 a = b = c = d = e = f = g = h = T1 = T2 = 0;
449 #endif /* SHA2_UNROLL_TRANSFORM */
451 void apr__SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) {
452 unsigned int freespace, usedspace;
455 /* Calling with no data is valid - we do nothing */
460 assert(context != (SHA256_CTX*)0 && data != (sha2_byte*)0);
462 usedspace = (unsigned int)((context->bitcount >> 3)
463 % SHA256_BLOCK_LENGTH);
465 /* Calculate how much free space is available in the buffer */
466 freespace = SHA256_BLOCK_LENGTH - usedspace;
468 if (len >= freespace) {
469 /* Fill the buffer completely and process it */
470 MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
471 context->bitcount += freespace << 3;
474 apr__SHA256_Transform(context, (sha2_word32*)context->buffer);
476 /* The buffer is not yet full */
477 MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
478 context->bitcount += len << 3;
480 usedspace = freespace = 0;
484 while (len >= SHA256_BLOCK_LENGTH) {
485 /* Process as many complete blocks as we can */
486 apr__SHA256_Transform(context, (sha2_word32*)data);
487 context->bitcount += SHA256_BLOCK_LENGTH << 3;
488 len -= SHA256_BLOCK_LENGTH;
489 data += SHA256_BLOCK_LENGTH;
492 /* There's left-overs, so save 'em */
493 MEMCPY_BCOPY(context->buffer, data, len);
494 context->bitcount += len << 3;
497 usedspace = freespace = 0;
500 void apr__SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
501 sha2_word32 *d = (sha2_word32*)digest;
502 unsigned int usedspace;
505 assert(context != (SHA256_CTX*)0);
507 /* If no digest buffer is passed, we don't bother doing this: */
508 if (digest != (sha2_byte*)0) {
509 usedspace = (unsigned int)((context->bitcount >> 3)
510 % SHA256_BLOCK_LENGTH);
511 #if !APR_IS_BIGENDIAN
512 /* Convert FROM host byte order */
513 REVERSE64(context->bitcount,context->bitcount);
516 /* Begin padding with a 1 bit: */
517 context->buffer[usedspace++] = 0x80;
519 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
520 /* Set-up for the last transform: */
521 MEMSET_BZERO(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
523 if (usedspace < SHA256_BLOCK_LENGTH) {
524 MEMSET_BZERO(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
526 /* Do second-to-last transform: */
527 apr__SHA256_Transform(context, (sha2_word32*)context->buffer);
529 /* And set-up for the last transform: */
530 MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
533 /* Set-up for the last transform: */
534 MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
536 /* Begin padding with a 1 bit: */
537 *context->buffer = 0x80;
539 /* Set the bit count: */
540 *(sha2_word64*)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
542 /* Final transform: */
543 apr__SHA256_Transform(context, (sha2_word32*)context->buffer);
545 #if !APR_IS_BIGENDIAN
547 /* Convert TO host byte order */
549 for (j = 0; j < 8; j++) {
550 REVERSE32(context->state[j],context->state[j]);
551 *d++ = context->state[j];
555 MEMCPY_BCOPY(d, context->state, SHA256_DIGEST_LENGTH);
559 /* Clean up state data: */
560 MEMSET_BZERO(context, sizeof(*context));
564 char *apr__SHA256_End(SHA256_CTX* context, char buffer[]) {
565 sha2_byte digest[SHA256_DIGEST_LENGTH], *d = digest;
569 assert(context != (SHA256_CTX*)0);
571 if (buffer != (char*)0) {
572 apr__SHA256_Final(digest, context);
574 for (i = 0; i < SHA256_DIGEST_LENGTH; i++) {
575 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
576 *buffer++ = sha2_hex_digits[*d & 0x0f];
581 MEMSET_BZERO(context, sizeof(*context));
583 MEMSET_BZERO(digest, SHA256_DIGEST_LENGTH);
587 char* apr__SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) {
590 apr__SHA256_Init(&context);
591 apr__SHA256_Update(&context, data, len);
592 return apr__SHA256_End(&context, digest);
596 /*** SHA-512: *********************************************************/
597 void apr__SHA512_Init(SHA512_CTX* context) {
598 if (context == (SHA512_CTX*)0) {
601 MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH);
602 MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH);
603 context->bitcount[0] = context->bitcount[1] = 0;
606 #ifdef SHA2_UNROLL_TRANSFORM
608 /* Unrolled SHA-512 round macros: */
609 #if !APR_IS_BIGENDIAN
611 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
612 REVERSE64(*data++, W512[j]); \
613 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
616 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
620 #else /* APR_IS_BIGENDIAN */
622 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
623 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
624 K512[j] + (W512[j] = *data++); \
626 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
629 #endif /* APR_IS_BIGENDIAN */
631 #define ROUND512(a,b,c,d,e,f,g,h) \
632 s0 = W512[(j+1)&0x0f]; \
633 s0 = sigma0_512(s0); \
634 s1 = W512[(j+14)&0x0f]; \
635 s1 = sigma1_512(s1); \
636 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
637 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
639 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
642 void apr__SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
643 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
644 sha2_word64 T1, *W512 = (sha2_word64*)context->buffer;
647 /* Initialize registers with the prev. intermediate value */
648 a = context->state[0];
649 b = context->state[1];
650 c = context->state[2];
651 d = context->state[3];
652 e = context->state[4];
653 f = context->state[5];
654 g = context->state[6];
655 h = context->state[7];
659 ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
660 ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
661 ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
662 ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
663 ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
664 ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
665 ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
666 ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
669 /* Now for the remaining rounds up to 79: */
671 ROUND512(a,b,c,d,e,f,g,h);
672 ROUND512(h,a,b,c,d,e,f,g);
673 ROUND512(g,h,a,b,c,d,e,f);
674 ROUND512(f,g,h,a,b,c,d,e);
675 ROUND512(e,f,g,h,a,b,c,d);
676 ROUND512(d,e,f,g,h,a,b,c);
677 ROUND512(c,d,e,f,g,h,a,b);
678 ROUND512(b,c,d,e,f,g,h,a);
681 /* Compute the current intermediate hash value */
682 context->state[0] += a;
683 context->state[1] += b;
684 context->state[2] += c;
685 context->state[3] += d;
686 context->state[4] += e;
687 context->state[5] += f;
688 context->state[6] += g;
689 context->state[7] += h;
692 a = b = c = d = e = f = g = h = T1 = 0;
695 #else /* SHA2_UNROLL_TRANSFORM */
697 void apr__SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
698 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
699 sha2_word64 T1, T2, *W512 = (sha2_word64*)context->buffer;
702 /* Initialize registers with the prev. intermediate value */
703 a = context->state[0];
704 b = context->state[1];
705 c = context->state[2];
706 d = context->state[3];
707 e = context->state[4];
708 f = context->state[5];
709 g = context->state[6];
710 h = context->state[7];
714 #if !APR_IS_BIGENDIAN
715 /* Convert TO host byte order */
716 REVERSE64(*data++, W512[j]);
717 /* Apply the SHA-512 compression function to update a..h */
718 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
719 #else /* APR_IS_BIGENDIAN */
720 /* Apply the SHA-512 compression function to update a..h with copy */
721 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
722 #endif /* APR_IS_BIGENDIAN */
723 T2 = Sigma0_512(a) + Maj(a, b, c);
737 /* Part of the message block expansion: */
738 s0 = W512[(j+1)&0x0f];
740 s1 = W512[(j+14)&0x0f];
743 /* Apply the SHA-512 compression function to update a..h */
744 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
745 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
746 T2 = Sigma0_512(a) + Maj(a, b, c);
759 /* Compute the current intermediate hash value */
760 context->state[0] += a;
761 context->state[1] += b;
762 context->state[2] += c;
763 context->state[3] += d;
764 context->state[4] += e;
765 context->state[5] += f;
766 context->state[6] += g;
767 context->state[7] += h;
770 a = b = c = d = e = f = g = h = T1 = T2 = 0;
773 #endif /* SHA2_UNROLL_TRANSFORM */
775 void apr__SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) {
776 unsigned int freespace, usedspace;
779 /* Calling with no data is valid - we do nothing */
784 assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0);
786 usedspace = (unsigned int)((context->bitcount[0] >> 3)
787 % SHA512_BLOCK_LENGTH);
789 /* Calculate how much free space is available in the buffer */
790 freespace = SHA512_BLOCK_LENGTH - usedspace;
792 if (len >= freespace) {
793 /* Fill the buffer completely and process it */
794 MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
795 ADDINC128(context->bitcount, freespace << 3);
798 apr__SHA512_Transform(context, (sha2_word64*)context->buffer);
800 /* The buffer is not yet full */
801 MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
802 ADDINC128(context->bitcount, len << 3);
804 usedspace = freespace = 0;
808 while (len >= SHA512_BLOCK_LENGTH) {
809 /* Process as many complete blocks as we can */
810 apr__SHA512_Transform(context, (sha2_word64*)data);
811 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
812 len -= SHA512_BLOCK_LENGTH;
813 data += SHA512_BLOCK_LENGTH;
816 /* There's left-overs, so save 'em */
817 MEMCPY_BCOPY(context->buffer, data, len);
818 ADDINC128(context->bitcount, len << 3);
821 usedspace = freespace = 0;
824 void apr__SHA512_Last(SHA512_CTX* context) {
825 unsigned int usedspace;
827 usedspace = (unsigned int)((context->bitcount[0] >> 3)
828 % SHA512_BLOCK_LENGTH);
829 #if !APR_IS_BIGENDIAN
830 /* Convert FROM host byte order */
831 REVERSE64(context->bitcount[0],context->bitcount[0]);
832 REVERSE64(context->bitcount[1],context->bitcount[1]);
835 /* Begin padding with a 1 bit: */
836 context->buffer[usedspace++] = 0x80;
838 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
839 /* Set-up for the last transform: */
840 MEMSET_BZERO(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
842 if (usedspace < SHA512_BLOCK_LENGTH) {
843 MEMSET_BZERO(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
845 /* Do second-to-last transform: */
846 apr__SHA512_Transform(context, (sha2_word64*)context->buffer);
848 /* And set-up for the last transform: */
849 MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH - 2);
852 /* Prepare for final transform: */
853 MEMSET_BZERO(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
855 /* Begin padding with a 1 bit: */
856 *context->buffer = 0x80;
858 /* Store the length of input data (in bits): */
859 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
860 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
862 /* Final transform: */
863 apr__SHA512_Transform(context, (sha2_word64*)context->buffer);
866 void apr__SHA512_Final(sha2_byte digest[], SHA512_CTX* context) {
867 sha2_word64 *d = (sha2_word64*)digest;
870 assert(context != (SHA512_CTX*)0);
872 /* If no digest buffer is passed, we don't bother doing this: */
873 if (digest != (sha2_byte*)0) {
874 apr__SHA512_Last(context);
876 /* Save the hash data for output: */
877 #if !APR_IS_BIGENDIAN
879 /* Convert TO host byte order */
881 for (j = 0; j < 8; j++) {
882 REVERSE64(context->state[j],context->state[j]);
883 *d++ = context->state[j];
886 #else /* APR_IS_BIGENDIAN */
887 MEMCPY_BCOPY(d, context->state, SHA512_DIGEST_LENGTH);
888 #endif /* APR_IS_BIGENDIAN */
891 /* Zero out state data */
892 MEMSET_BZERO(context, sizeof(*context));
895 char *apr__SHA512_End(SHA512_CTX* context, char buffer[]) {
896 sha2_byte digest[SHA512_DIGEST_LENGTH], *d = digest;
900 assert(context != (SHA512_CTX*)0);
902 if (buffer != (char*)0) {
903 apr__SHA512_Final(digest, context);
905 for (i = 0; i < SHA512_DIGEST_LENGTH; i++) {
906 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
907 *buffer++ = sha2_hex_digits[*d & 0x0f];
912 MEMSET_BZERO(context, sizeof(*context));
914 MEMSET_BZERO(digest, SHA512_DIGEST_LENGTH);
918 char* apr__SHA512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) {
921 apr__SHA512_Init(&context);
922 apr__SHA512_Update(&context, data, len);
923 return apr__SHA512_End(&context, digest);
927 /*** SHA-384: *********************************************************/
928 void apr__SHA384_Init(SHA384_CTX* context) {
929 if (context == (SHA384_CTX*)0) {
932 MEMCPY_BCOPY(context->state, sha384_initial_hash_value, SHA512_DIGEST_LENGTH);
933 MEMSET_BZERO(context->buffer, SHA384_BLOCK_LENGTH);
934 context->bitcount[0] = context->bitcount[1] = 0;
937 void apr__SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) {
938 apr__SHA512_Update((SHA512_CTX*)context, data, len);
941 void apr__SHA384_Final(sha2_byte digest[], SHA384_CTX* context) {
942 sha2_word64 *d = (sha2_word64*)digest;
945 assert(context != (SHA384_CTX*)0);
947 /* If no digest buffer is passed, we don't bother doing this: */
948 if (digest != (sha2_byte*)0) {
949 apr__SHA512_Last((SHA512_CTX*)context);
951 /* Save the hash data for output: */
952 #if !APR_IS_BIGENDIAN
954 /* Convert TO host byte order */
956 for (j = 0; j < 6; j++) {
957 REVERSE64(context->state[j],context->state[j]);
958 *d++ = context->state[j];
961 #else /* APR_IS_BIGENDIAN */
962 MEMCPY_BCOPY(d, context->state, SHA384_DIGEST_LENGTH);
963 #endif /* APR_IS_BIGENDIAN */
966 /* Zero out state data */
967 MEMSET_BZERO(context, sizeof(*context));
970 char *apr__SHA384_End(SHA384_CTX* context, char buffer[]) {
971 sha2_byte digest[SHA384_DIGEST_LENGTH], *d = digest;
975 assert(context != (SHA384_CTX*)0);
977 if (buffer != (char*)0) {
978 apr__SHA384_Final(digest, context);
980 for (i = 0; i < SHA384_DIGEST_LENGTH; i++) {
981 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
982 *buffer++ = sha2_hex_digits[*d & 0x0f];
987 MEMSET_BZERO(context, sizeof(*context));
989 MEMSET_BZERO(digest, SHA384_DIGEST_LENGTH);
993 char* apr__SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) {
996 apr__SHA384_Init(&context);
997 apr__SHA384_Update(&context, data, len);
998 return apr__SHA384_End(&context, digest);