Index: head/lib/libmd/md4c.c =================================================================== --- head/lib/libmd/md4c.c (revision 336538) +++ head/lib/libmd/md4c.c (revision 336539) @@ -1,310 +1,310 @@ /* MD4C.C - RSA Data Security, Inc., MD4 message-digest algorithm */ #include __FBSDID("$FreeBSD$"); /*- SPDX-License-Identifier: RSA-MD Copyright (C) 1990-2, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD4 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD4 Message-Digest Algorithm" in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. */ #include #include #include "md4.h" typedef unsigned char *POINTER; typedef const unsigned char *CONST_POINTER; typedef u_int16_t UINT2; typedef u_int32_t UINT4; #define PROTO_LIST(list) list /* Constants for MD4Transform routine. */ #define S11 3 #define S12 7 #define S13 11 #define S14 19 #define S21 3 #define S22 5 #define S23 9 #define S24 13 #define S31 3 #define S32 9 #define S33 11 #define S34 15 static void MD4Transform PROTO_LIST ((UINT4 [4], const unsigned char [64])); static void Encode PROTO_LIST ((unsigned char *, UINT4 *, unsigned int)); static void Decode PROTO_LIST ((UINT4 *, const unsigned char *, unsigned int)); static unsigned char PADDING[64] = { 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; /* F, G and H are basic MD4 functions. */ #define F(x, y, z) (((x) & (y)) | ((~x) & (z))) #define G(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z))) #define H(x, y, z) ((x) ^ (y) ^ (z)) /* ROTATE_LEFT rotates x left n bits. */ #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n)))) /* FF, GG and HH are transformations for rounds 1, 2 and 3 */ /* Rotation is separate from addition to prevent recomputation */ #define FF(a, b, c, d, x, s) { \ (a) += F ((b), (c), (d)) + (x); \ (a) = ROTATE_LEFT ((a), (s)); \ } #define GG(a, b, c, d, x, s) { \ (a) += G ((b), (c), (d)) + (x) + (UINT4)0x5a827999; \ (a) = ROTATE_LEFT ((a), (s)); \ } #define HH(a, b, c, d, x, s) { \ (a) += H ((b), (c), (d)) + (x) + (UINT4)0x6ed9eba1; \ (a) = ROTATE_LEFT ((a), (s)); \ } /* MD4 initialization. Begins an MD4 operation, writing a new context. */ void MD4Init (context) MD4_CTX *context; /* context */ { context->count[0] = context->count[1] = 0; /* Load magic initialization constants. */ context->state[0] = 0x67452301; context->state[1] = 0xefcdab89; context->state[2] = 0x98badcfe; context->state[3] = 0x10325476; } /* MD4 block update operation. Continues an MD4 message-digest operation, processing another message block, and updating the context. */ void MD4Update (context, in, inputLen) MD4_CTX *context; /* context */ const void *in; /* input block */ unsigned int inputLen; /* length of input block */ { unsigned int i, idx, partLen; const unsigned char *input = in; /* Compute number of bytes mod 64 */ idx = (unsigned int)((context->count[0] >> 3) & 0x3F); /* Update number of bits */ if ((context->count[0] += ((UINT4)inputLen << 3)) < ((UINT4)inputLen << 3)) context->count[1]++; context->count[1] += ((UINT4)inputLen >> 29); partLen = 64 - idx; /* Transform as many times as possible. */ if (inputLen >= partLen) { memcpy ((POINTER)&context->buffer[idx], (CONST_POINTER)input, partLen); MD4Transform (context->state, context->buffer); for (i = partLen; i + 63 < inputLen; i += 64) MD4Transform (context->state, &input[i]); idx = 0; } else i = 0; /* Buffer remaining input */ memcpy ((POINTER)&context->buffer[idx], (CONST_POINTER)&input[i], inputLen-i); } /* MD4 padding. */ void MD4Pad (context) MD4_CTX *context; /* context */ { unsigned char bits[8]; unsigned int idx, padLen; /* Save number of bits */ Encode (bits, context->count, 8); /* Pad out to 56 mod 64. */ idx = (unsigned int)((context->count[0] >> 3) & 0x3f); padLen = (idx < 56) ? (56 - idx) : (120 - idx); MD4Update (context, PADDING, padLen); /* Append length (before padding) */ MD4Update (context, bits, 8); } /* MD4 finalization. Ends an MD4 message-digest operation, writing the the message digest and zeroizing the context. */ void MD4Final (digest, context) unsigned char digest[16]; /* message digest */ MD4_CTX *context; /* context */ { /* Do padding */ MD4Pad (context); /* Store state in digest */ Encode (digest, context->state, 16); /* Zeroize sensitive information. */ - memset ((POINTER)context, 0, sizeof (*context)); + explicit_bzero(context, sizeof(*context)); } /* MD4 basic transformation. Transforms state based on block. */ static void MD4Transform (state, block) UINT4 state[4]; const unsigned char block[64]; { UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16]; Decode (x, block, 64); /* Round 1 */ FF (a, b, c, d, x[ 0], S11); /* 1 */ FF (d, a, b, c, x[ 1], S12); /* 2 */ FF (c, d, a, b, x[ 2], S13); /* 3 */ FF (b, c, d, a, x[ 3], S14); /* 4 */ FF (a, b, c, d, x[ 4], S11); /* 5 */ FF (d, a, b, c, x[ 5], S12); /* 6 */ FF (c, d, a, b, x[ 6], S13); /* 7 */ FF (b, c, d, a, x[ 7], S14); /* 8 */ FF (a, b, c, d, x[ 8], S11); /* 9 */ FF (d, a, b, c, x[ 9], S12); /* 10 */ FF (c, d, a, b, x[10], S13); /* 11 */ FF (b, c, d, a, x[11], S14); /* 12 */ FF (a, b, c, d, x[12], S11); /* 13 */ FF (d, a, b, c, x[13], S12); /* 14 */ FF (c, d, a, b, x[14], S13); /* 15 */ FF (b, c, d, a, x[15], S14); /* 16 */ /* Round 2 */ GG (a, b, c, d, x[ 0], S21); /* 17 */ GG (d, a, b, c, x[ 4], S22); /* 18 */ GG (c, d, a, b, x[ 8], S23); /* 19 */ GG (b, c, d, a, x[12], S24); /* 20 */ GG (a, b, c, d, x[ 1], S21); /* 21 */ GG (d, a, b, c, x[ 5], S22); /* 22 */ GG (c, d, a, b, x[ 9], S23); /* 23 */ GG (b, c, d, a, x[13], S24); /* 24 */ GG (a, b, c, d, x[ 2], S21); /* 25 */ GG (d, a, b, c, x[ 6], S22); /* 26 */ GG (c, d, a, b, x[10], S23); /* 27 */ GG (b, c, d, a, x[14], S24); /* 28 */ GG (a, b, c, d, x[ 3], S21); /* 29 */ GG (d, a, b, c, x[ 7], S22); /* 30 */ GG (c, d, a, b, x[11], S23); /* 31 */ GG (b, c, d, a, x[15], S24); /* 32 */ /* Round 3 */ HH (a, b, c, d, x[ 0], S31); /* 33 */ HH (d, a, b, c, x[ 8], S32); /* 34 */ HH (c, d, a, b, x[ 4], S33); /* 35 */ HH (b, c, d, a, x[12], S34); /* 36 */ HH (a, b, c, d, x[ 2], S31); /* 37 */ HH (d, a, b, c, x[10], S32); /* 38 */ HH (c, d, a, b, x[ 6], S33); /* 39 */ HH (b, c, d, a, x[14], S34); /* 40 */ HH (a, b, c, d, x[ 1], S31); /* 41 */ HH (d, a, b, c, x[ 9], S32); /* 42 */ HH (c, d, a, b, x[ 5], S33); /* 43 */ HH (b, c, d, a, x[13], S34); /* 44 */ HH (a, b, c, d, x[ 3], S31); /* 45 */ HH (d, a, b, c, x[11], S32); /* 46 */ HH (c, d, a, b, x[ 7], S33); /* 47 */ HH (b, c, d, a, x[15], S34); /* 48 */ state[0] += a; state[1] += b; state[2] += c; state[3] += d; /* Zeroize sensitive information. */ memset ((POINTER)x, 0, sizeof (x)); } /* Encodes input (UINT4) into output (unsigned char). Assumes len is a multiple of 4. */ static void Encode (output, input, len) unsigned char *output; UINT4 *input; unsigned int len; { unsigned int i, j; for (i = 0, j = 0; j < len; i++, j += 4) { output[j] = (unsigned char)(input[i] & 0xff); output[j+1] = (unsigned char)((input[i] >> 8) & 0xff); output[j+2] = (unsigned char)((input[i] >> 16) & 0xff); output[j+3] = (unsigned char)((input[i] >> 24) & 0xff); } } /* Decodes input (unsigned char) into output (UINT4). Assumes len is a multiple of 4. */ static void Decode (output, input, len) UINT4 *output; const unsigned char *input; unsigned int len; { unsigned int i, j; for (i = 0, j = 0; j < len; i++, j += 4) output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) | (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24); } #ifdef WEAK_REFS /* When building libmd, provide weak references. Note: this is not activated in the context of compiling these sources for internal use in libcrypt. */ #undef MD4Init __weak_reference(_libmd_MD4Init, MD4Init); #undef MD4Update __weak_reference(_libmd_MD4Update, MD4Update); #undef MD4Pad __weak_reference(_libmd_MD4Pad, MD4Pad); #undef MD4Final __weak_reference(_libmd_MD4Final, MD4Final); #endif Index: head/lib/libmd/md5c.c =================================================================== --- head/lib/libmd/md5c.c (revision 336538) +++ head/lib/libmd/md5c.c (revision 336539) @@ -1,347 +1,347 @@ /*- * SPDX-License-Identifier: RSA-MD * * MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm * * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All * rights reserved. * * License to copy and use this software is granted provided that it * is identified as the "RSA Data Security, Inc. MD5 Message-Digest * Algorithm" in all material mentioning or referencing this software * or this function. * * License is also granted to make and use derivative works provided * that such works are identified as "derived from the RSA Data * Security, Inc. MD5 Message-Digest Algorithm" in all material * mentioning or referencing the derived work. * * RSA Data Security, Inc. makes no representations concerning either * the merchantability of this software or the suitability of this * software for any particular purpose. It is provided "as is" * without express or implied warranty of any kind. * * These notices must be retained in any copies of any part of this * documentation and/or software. * * This code is the same as the code published by RSA Inc. It has been * edited for clarity and style only. */ #include __FBSDID("$FreeBSD$"); #include #ifdef _KERNEL #include #else #include #endif #include #include #include "md5.h" static void MD5Transform(u_int32_t [4], const unsigned char [64]); #ifdef _KERNEL #define memset(x,y,z) bzero(x,z); #define memcpy(x,y,z) bcopy(y, x, z) #endif #if (BYTE_ORDER == LITTLE_ENDIAN) #define Encode memcpy #define Decode memcpy #else /* * Encodes input (u_int32_t) into output (unsigned char). Assumes len is * a multiple of 4. */ static void Encode (unsigned char *output, u_int32_t *input, unsigned int len) { unsigned int i; u_int32_t *op = (u_int32_t *)output; for (i = 0; i < len / 4; i++) op[i] = htole32(input[i]); } /* * Decodes input (unsigned char) into output (u_int32_t). Assumes len is * a multiple of 4. */ static void Decode (u_int32_t *output, const unsigned char *input, unsigned int len) { unsigned int i; const u_int32_t *ip = (const u_int32_t *)input; for (i = 0; i < len / 4; i++) output[i] = le32toh(ip[i]); } #endif static unsigned char PADDING[64] = { 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; /* F, G, H and I are basic MD5 functions. */ #define F(x, y, z) (((x) & (y)) | ((~x) & (z))) #define G(x, y, z) (((x) & (z)) | ((y) & (~z))) #define H(x, y, z) ((x) ^ (y) ^ (z)) #define I(x, y, z) ((y) ^ ((x) | (~z))) /* ROTATE_LEFT rotates x left n bits. */ #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n)))) /* * FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4. * Rotation is separate from addition to prevent recomputation. */ #define FF(a, b, c, d, x, s, ac) { \ (a) += F ((b), (c), (d)) + (x) + (u_int32_t)(ac); \ (a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ } #define GG(a, b, c, d, x, s, ac) { \ (a) += G ((b), (c), (d)) + (x) + (u_int32_t)(ac); \ (a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ } #define HH(a, b, c, d, x, s, ac) { \ (a) += H ((b), (c), (d)) + (x) + (u_int32_t)(ac); \ (a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ } #define II(a, b, c, d, x, s, ac) { \ (a) += I ((b), (c), (d)) + (x) + (u_int32_t)(ac); \ (a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ } /* MD5 initialization. Begins an MD5 operation, writing a new context. */ void MD5Init (MD5_CTX *context) { context->count[0] = context->count[1] = 0; /* Load magic initialization constants. */ context->state[0] = 0x67452301; context->state[1] = 0xefcdab89; context->state[2] = 0x98badcfe; context->state[3] = 0x10325476; } /* * MD5 block update operation. Continues an MD5 message-digest * operation, processing another message block, and updating the * context. */ void MD5Update (MD5_CTX *context, const void *in, unsigned int inputLen) { unsigned int i, idx, partLen; const unsigned char *input = in; /* Compute number of bytes mod 64 */ idx = (unsigned int)((context->count[0] >> 3) & 0x3F); /* Update number of bits */ if ((context->count[0] += ((u_int32_t)inputLen << 3)) < ((u_int32_t)inputLen << 3)) context->count[1]++; context->count[1] += ((u_int32_t)inputLen >> 29); partLen = 64 - idx; /* Transform as many times as possible. */ if (inputLen >= partLen) { memcpy((void *)&context->buffer[idx], (const void *)input, partLen); MD5Transform (context->state, context->buffer); for (i = partLen; i + 63 < inputLen; i += 64) MD5Transform (context->state, &input[i]); idx = 0; } else i = 0; /* Buffer remaining input */ memcpy ((void *)&context->buffer[idx], (const void *)&input[i], inputLen-i); } /* * MD5 padding. Adds padding followed by original length. */ void MD5Pad (MD5_CTX *context) { unsigned char bits[8]; unsigned int idx, padLen; /* Save number of bits */ Encode (bits, context->count, 8); /* Pad out to 56 mod 64. */ idx = (unsigned int)((context->count[0] >> 3) & 0x3f); padLen = (idx < 56) ? (56 - idx) : (120 - idx); MD5Update (context, PADDING, padLen); /* Append length (before padding) */ MD5Update (context, bits, 8); } /* * MD5 finalization. Ends an MD5 message-digest operation, writing the * the message digest and zeroizing the context. */ void MD5Final (unsigned char digest[16], MD5_CTX *context) { /* Do padding. */ MD5Pad (context); /* Store state in digest */ Encode (digest, context->state, 16); /* Zeroize sensitive information. */ - memset ((void *)context, 0, sizeof (*context)); + explicit_bzero(context, sizeof(*context)); } /* MD5 basic transformation. Transforms state based on block. */ static void MD5Transform (u_int32_t state[4], const unsigned char block[64]) { u_int32_t a = state[0], b = state[1], c = state[2], d = state[3], x[16]; Decode (x, block, 64); /* Round 1 */ #define S11 7 #define S12 12 #define S13 17 #define S14 22 FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */ FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */ FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */ FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */ FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */ FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */ FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */ FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */ FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */ FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */ FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */ FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */ FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */ FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */ FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */ FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */ /* Round 2 */ #define S21 5 #define S22 9 #define S23 14 #define S24 20 GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */ GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */ GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */ GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */ GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */ GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */ GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */ GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */ GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */ GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */ GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */ GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */ GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */ GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */ GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */ GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */ /* Round 3 */ #define S31 4 #define S32 11 #define S33 16 #define S34 23 HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */ HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */ HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */ HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */ HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */ HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */ HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */ HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */ HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */ HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */ HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */ HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */ HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */ HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */ HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */ HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */ /* Round 4 */ #define S41 6 #define S42 10 #define S43 15 #define S44 21 II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */ II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */ II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */ II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */ II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */ II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */ II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */ II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */ II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */ II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */ II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */ II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */ II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */ II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */ II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */ II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */ state[0] += a; state[1] += b; state[2] += c; state[3] += d; /* Zeroize sensitive information. */ memset ((void *)x, 0, sizeof (x)); } #ifdef WEAK_REFS /* When building libmd, provide weak references. Note: this is not activated in the context of compiling these sources for internal use in libcrypt. */ #undef MD5Init __weak_reference(_libmd_MD5Init, MD5Init); #undef MD5Update __weak_reference(_libmd_MD5Update, MD5Update); #undef MD5Pad __weak_reference(_libmd_MD5Pad, MD5Pad); #undef MD5Final __weak_reference(_libmd_MD5Final, MD5Final); #undef MD5Transform __weak_reference(_libmd_MD5Transform, MD5Transform); #endif Index: head/lib/libmd/mdX.3 =================================================================== --- head/lib/libmd/mdX.3 (revision 336538) +++ head/lib/libmd/mdX.3 (revision 336539) @@ -1,191 +1,193 @@ .\" .\" ---------------------------------------------------------------------------- .\" "THE BEER-WARE LICENSE" (Revision 42): .\" wrote this file. As long as you retain this notice you .\" can do whatever you want with this stuff. If we meet some day, and you think .\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp .\" ---------------------------------------------------------------------------- .\" .\" $FreeBSD$ .\" -.Dd April 26, 2016 +.Dd July 20, 2018 .Dt MDX 3 .Os .Sh NAME .Nm MDXInit , .Nm MDXUpdate , .Nm MDXPad , .Nm MDXFinal , .Nm MDXEnd , .Nm MDXFile , .Nm MDXFileChunk , .Nm MDXData .Nd calculate the RSA Data Security, Inc., ``MDX'' message digest .Sh LIBRARY .Lb libmd .Sh SYNOPSIS .In sys/types.h .In mdX.h .Ft void .Fn MDXInit "MDX_CTX *context" .Ft void .Fn MDXUpdate "MDX_CTX *context" "const void *data" "unsigned int len" .Ft void .Fn MDXPad "MDX_CTX *context" .Ft void .Fn MDXFinal "unsigned char digest[16]" "MDX_CTX *context" .Ft "char *" .Fn MDXEnd "MDX_CTX *context" "char *buf" .Ft "char *" .Fn MDXFile "const char *filename" "char *buf" .Ft "char *" .Fn MDXFileChunk "const char *filename" "char *buf" "off_t offset" "off_t length" .Ft "char *" .Fn MDXData "const void *data" "unsigned int len" "char *buf" .Sh DESCRIPTION The MDX functions calculate a 128-bit cryptographic checksum (digest) for any number of input bytes. A cryptographic checksum is a one-way hash-function, that is, you cannot find (except by exhaustive search) the input corresponding to a particular output. This net result is a .Dq fingerprint of the input-data, which does not disclose the actual input. .Pp MD4 is the fastest and MD5 is somewhat slower. MD4 has now been broken; it should only be used where necessary for backward compatibility. MD5 has not yet (1999-02-11) been broken, but sufficient attacks have been made that its security is in some doubt. The attacks on both MD4 and MD5 are both in the nature of finding .Dq collisions \[en] that is, multiple inputs which hash to the same value; it is still unlikely for an attacker to be able to determine the exact original input given a hash value. .Pp The .Fn MDXInit , .Fn MDXUpdate , and .Fn MDXFinal functions are the core functions. Allocate an .Vt MDX_CTX , initialize it with .Fn MDXInit , run over the data with .Fn MDXUpdate , and finally extract the result using -.Fn MDXFinal . +.Fn MDXFinal , +which will also erase the +.Vt MDX_CTX . .Pp The .Fn MDXPad function can be used to pad message data in same way as done by .Fn MDXFinal without terminating calculation. .Pp The .Fn MDXEnd function is a wrapper for .Fn MDXFinal which converts the return value to a 33-character (including the terminating '\e0') .Tn ASCII string which represents the 128 bits in hexadecimal. .Pp The .Fn MDXFile function calculates the digest of a file, and uses .Fn MDXEnd to return the result. If the file cannot be opened, a null pointer is returned. The .Fn MDXFileChunk function is similar to .Fn MDXFile , but it only calculates the digest over a byte-range of the file specified, starting at .Fa offset and spanning .Fa length bytes. If the .Fa length parameter is specified as 0, or more than the length of the remaining part of the file, .Fn MDXFileChunk calculates the digest from .Fa offset to the end of file. The .Fn MDXData function calculates the digest of a chunk of data in memory, and uses .Fn MDXEnd to return the result. .Pp When using .Fn MDXEnd , .Fn MDXFile , or .Fn MDXData , the .Fa buf argument can be a null pointer, in which case the returned string is allocated with .Xr malloc 3 and subsequently must be explicitly deallocated using .Xr free 3 after use. If the .Fa buf argument is non-null it must point to at least 33 characters of buffer space. .Sh SEE ALSO .Xr md4 3 , .Xr md5 3 , .Xr ripemd 3 , .Xr sha 3 , .Xr sha256 3 , .Xr sha512 3 , .Xr skein 3 .Rs .%A R. Rivest .%T The MD4 Message-Digest Algorithm .%O RFC 1186 .Re .Rs .%A R. Rivest .%T The MD5 Message-Digest Algorithm .%O RFC 1321 .Re .Rs .%A H. Dobbertin .%T Alf Swindles Ann .%J CryptoBytes .%N 1(3):5 .%D 1995 .Re .Rs .%A MJ. B. Robshaw .%T On Recent Results for MD2, MD4 and MD5 .%J RSA Laboratories Bulletin .%N 4 .%D November 12, 1996 .Re .Sh HISTORY These functions appeared in .Fx 2.0 . .Sh AUTHORS The original MDX routines were developed by .Tn RSA Data Security, Inc., and published in the above references. This code is derived directly from these implementations by .An Poul-Henning Kamp Aq Mt phk@FreeBSD.org . .Pp Phk ristede runen. .Sh BUGS No method is known to exist which finds two files having the same hash value, nor to find a file with a specific hash value. There is on the other hand no guarantee that such a method does not exist. Index: head/lib/libmd/ripemd.3 =================================================================== --- head/lib/libmd/ripemd.3 (revision 336538) +++ head/lib/libmd/ripemd.3 (revision 336539) @@ -1,143 +1,145 @@ .\" .\" ---------------------------------------------------------------------------- .\" "THE BEER-WARE LICENSE" (Revision 42): .\" wrote this file. As long as you retain this notice you .\" can do whatever you want with this stuff. If we meet some day, and you think .\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp .\" ---------------------------------------------------------------------------- .\" .\" From: Id: mdX.3,v 1.14 1999/02/11 20:31:49 wollman Exp .\" $FreeBSD$ .\" -.Dd April 26, 2016 +.Dd July 20, 2018 .Dt RIPEMD 3 .Os .Sh NAME .Nm RIPEMD160_Init , .Nm RIPEMD160_Update , .Nm RIPEMD160_Final , .Nm RIPEMD160_End , .Nm RIPEMD160_File , .Nm RIPEMD160_FileChunk , .Nm RIPEMD160_Data .Nd calculate the RIPEMD160 message digest .Sh LIBRARY .Lb libmd .Sh SYNOPSIS .In sys/types.h .In ripemd.h .Ft void .Fn RIPEMD160_Init "RIPEMD160_CTX *context" .Ft void .Fn RIPEMD160_Update "RIPEMD160_CTX *context" "const unsigned char *data" "unsigned int len" .Ft void .Fn RIPEMD160_Final "unsigned char digest[20]" "RIPEMD160_CTX *context" .Ft "char *" .Fn RIPEMD160_End "RIPEMD160_CTX *context" "char *buf" .Ft "char *" .Fn RIPEMD160_File "const char *filename" "char *buf" .Ft "char *" .Fn RIPEMD160_FileChunk "const char *filename" "char *buf" "off_t offset" "off_t length" .Ft "char *" .Fn RIPEMD160_Data "const unsigned char *data" "unsigned int len" "char *buf" .Sh DESCRIPTION The .Li RIPEMD160_ functions calculate a 160-bit cryptographic checksum (digest) for any number of input bytes. A cryptographic checksum is a one-way hash function; that is, it is computationally impractical to find the input corresponding to a particular output. This net result is a .Dq fingerprint of the input-data, which does not disclose the actual input. .Pp The .Fn RIPEMD160_Init , .Fn RIPEMD160_Update , and .Fn RIPEMD160_Final functions are the core functions. Allocate an .Vt RIPEMD160_CTX , initialize it with .Fn RIPEMD160_Init , run over the data with .Fn RIPEMD160_Update , and finally extract the result using -.Fn RIPEMD160_Final . +.Fn RIPEMD160_Final , +which will also erase the +.Vt RIPEMD160_CTX . .Pp The .Fn RIPEMD160_End function is a wrapper for .Fn RIPEMD160_Final which converts the return value to a 41-character (including the terminating '\e0') .Tn ASCII string which represents the 160 bits in hexadecimal. .Pp The .Fn RIPEMD160_File function calculates the digest of a file, and uses .Fn RIPEMD160_End to return the result. If the file cannot be opened, a null pointer is returned. The .Fn RIPEMD160_FileChunk function is similar to .Fn RIPEMD160_File , but it only calculates the digest over a byte-range of the file specified, starting at .Fa offset and spanning .Fa length bytes. If the .Fa length parameter is specified as 0, or more than the length of the remaining part of the file, .Fn RIPEMD160_FileChunk calculates the digest from .Fa offset to the end of file. The .Fn RIPEMD160_Data function calculates the digest of a chunk of data in memory, and uses .Fn RIPEMD160_End to return the result. .Pp When using .Fn RIPEMD160_End , .Fn RIPEMD160_File , or .Fn RIPEMD160_Data , the .Fa buf argument can be a null pointer, in which case the returned string is allocated with .Xr malloc 3 and subsequently must be explicitly deallocated using .Xr free 3 after use. If the .Fa buf argument is non-null it must point to at least 41 characters of buffer space. .Sh SEE ALSO .Xr md4 3 , .Xr md5 3 , .Xr sha 3 , .Xr sha256 3 , .Xr sha512 3 , .Xr skein 3 .Sh HISTORY These functions appeared in .Fx 4.0 . .Sh AUTHORS The core hash routines were implemented by Eric Young based on the published .Tn RIPEMD160 specification. .Sh BUGS No method is known to exist which finds two files having the same hash value, nor to find a file with a specific hash value. There is on the other hand no guarantee that such a method does not exist. Index: head/lib/libmd/rmd160c.c =================================================================== --- head/lib/libmd/rmd160c.c (revision 336538) +++ head/lib/libmd/rmd160c.c (revision 336539) @@ -1,566 +1,564 @@ /* crypto/ripemd/rmd_dgst.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include __FBSDID("$FreeBSD$"); #include #include #include #if 0 #include /* we use the __ variants of bit-sized types */ #endif #include #include "rmd_locl.h" /* * The assembly-language code is not position-independent, so don't * try to use it in a shared library. */ #ifdef PIC #undef RMD160_ASM #endif char *RMD160_version="RIPEMD160 part of SSLeay 0.9.0b 11-Oct-1998"; #ifdef RMD160_ASM void ripemd160_block_x86(RIPEMD160_CTX *c, const u_int32_t *p,int num); #define ripemd160_block ripemd160_block_x86 #else void ripemd160_block(RIPEMD160_CTX *c, const u_int32_t *p,int num); #endif void RIPEMD160_Init(c) RIPEMD160_CTX *c; { c->A=RIPEMD160_A; c->B=RIPEMD160_B; c->C=RIPEMD160_C; c->D=RIPEMD160_D; c->E=RIPEMD160_E; c->Nl=0; c->Nh=0; c->num=0; } void RIPEMD160_Update(c, in, len) RIPEMD160_CTX *c; const void *in; size_t len; { u_int32_t *p; int sw,sc; u_int32_t l; const unsigned char *data = in; if (len == 0) return; l=(c->Nl+(len<<3))&0xffffffffL; if (l < c->Nl) /* overflow */ c->Nh++; c->Nh+=(len>>29); c->Nl=l; if (c->num != 0) { p=c->data; sw=c->num>>2; sc=c->num&0x03; if ((c->num+len) >= RIPEMD160_CBLOCK) { l= p[sw]; p_c2l(data,l,sc); p[sw++]=l; for (; swnum); ripemd160_block(c,p,64); c->num=0; /* drop through and do the rest */ } else { int ew,ec; c->num+=(int)len; if ((sc+len) < 4) /* ugly, add char's to a word */ { l= p[sw]; p_c2l_p(data,l,sc,len); p[sw]=l; } else { ew=(c->num>>2); ec=(c->num&0x03); l= p[sw]; p_c2l(data,l,sc); p[sw++]=l; for (; sw < ew; sw++) { c2l(data,l); p[sw]=l; } if (ec) { c2l_p(data,l,ec); p[sw]=l; } } return; } } /* we now can process the input data in blocks of RIPEMD160_CBLOCK * chars and save the leftovers to c->data. */ #if BYTE_ORDER == LITTLE_ENDIAN if ((((unsigned long)data)%sizeof(u_int32_t)) == 0) { sw=(int)len/RIPEMD160_CBLOCK; if (sw > 0) { sw*=RIPEMD160_CBLOCK; ripemd160_block(c,(u_int32_t *)data,sw); data+=sw; len-=sw; } } #endif p=c->data; while (len >= RIPEMD160_CBLOCK) { #if BYTE_ORDER == LITTLE_ENDIAN || BYTE_ORDER == BIG_ENDIAN if (p != (u_int32_t *)data) memcpy(p,data,RIPEMD160_CBLOCK); data+=RIPEMD160_CBLOCK; #if BYTE_ORDER == BIG_ENDIAN for (sw=(RIPEMD160_LBLOCK/4); sw; sw--) { Endian_Reverse32(p[0]); Endian_Reverse32(p[1]); Endian_Reverse32(p[2]); Endian_Reverse32(p[3]); p+=4; } #endif #else for (sw=(RIPEMD160_LBLOCK/4); sw; sw--) { c2l(data,l); *(p++)=l; c2l(data,l); *(p++)=l; c2l(data,l); *(p++)=l; c2l(data,l); *(p++)=l; } #endif p=c->data; ripemd160_block(c,p,64); len-=RIPEMD160_CBLOCK; } sc=(int)len; c->num=sc; if (sc) { sw=sc>>2; /* words to copy */ #if BYTE_ORDER == LITTLE_ENDIAN p[sw]=0; memcpy(p,data,sc); #else sc&=0x03; for ( ; sw; sw--) { c2l(data,l); *(p++)=l; } c2l_p(data,l,sc); *p=l; #endif } } void RIPEMD160_Transform(c,b) RIPEMD160_CTX *c; unsigned char *b; { u_int32_t p[16]; #if BYTE_ORDER != LITTLE_ENDIAN u_int32_t *q; int i; #endif #if BYTE_ORDER == BIG_ENDIAN || BYTE_ORDER == LITTLE_ENDIAN memcpy(p,b,64); #if BYTE_ORDER == BIG_ENDIAN q=p; for (i=(RIPEMD160_LBLOCK/4); i; i--) { Endian_Reverse32(q[0]); Endian_Reverse32(q[1]); Endian_Reverse32(q[2]); Endian_Reverse32(q[3]); q+=4; } #endif #else q=p; for (i=(RIPEMD160_LBLOCK/4); i; i--) { u_int32_t l; c2l(b,l); *(q++)=l; c2l(b,l); *(q++)=l; c2l(b,l); *(q++)=l; c2l(b,l); *(q++)=l; } #endif ripemd160_block(c,p,64); } #ifndef RMD160_ASM void ripemd160_block(ctx, X, num) RIPEMD160_CTX *ctx; const u_int32_t *X; int num; { u_int32_t A,B,C,D,E; u_int32_t a,b,c,d,e; for (;;) { A=ctx->A; B=ctx->B; C=ctx->C; D=ctx->D; E=ctx->E; RIP1(A,B,C,D,E,WL00,SL00); RIP1(E,A,B,C,D,WL01,SL01); RIP1(D,E,A,B,C,WL02,SL02); RIP1(C,D,E,A,B,WL03,SL03); RIP1(B,C,D,E,A,WL04,SL04); RIP1(A,B,C,D,E,WL05,SL05); RIP1(E,A,B,C,D,WL06,SL06); RIP1(D,E,A,B,C,WL07,SL07); RIP1(C,D,E,A,B,WL08,SL08); RIP1(B,C,D,E,A,WL09,SL09); RIP1(A,B,C,D,E,WL10,SL10); RIP1(E,A,B,C,D,WL11,SL11); RIP1(D,E,A,B,C,WL12,SL12); RIP1(C,D,E,A,B,WL13,SL13); RIP1(B,C,D,E,A,WL14,SL14); RIP1(A,B,C,D,E,WL15,SL15); RIP2(E,A,B,C,D,WL16,SL16,KL1); RIP2(D,E,A,B,C,WL17,SL17,KL1); RIP2(C,D,E,A,B,WL18,SL18,KL1); RIP2(B,C,D,E,A,WL19,SL19,KL1); RIP2(A,B,C,D,E,WL20,SL20,KL1); RIP2(E,A,B,C,D,WL21,SL21,KL1); RIP2(D,E,A,B,C,WL22,SL22,KL1); RIP2(C,D,E,A,B,WL23,SL23,KL1); RIP2(B,C,D,E,A,WL24,SL24,KL1); RIP2(A,B,C,D,E,WL25,SL25,KL1); RIP2(E,A,B,C,D,WL26,SL26,KL1); RIP2(D,E,A,B,C,WL27,SL27,KL1); RIP2(C,D,E,A,B,WL28,SL28,KL1); RIP2(B,C,D,E,A,WL29,SL29,KL1); RIP2(A,B,C,D,E,WL30,SL30,KL1); RIP2(E,A,B,C,D,WL31,SL31,KL1); RIP3(D,E,A,B,C,WL32,SL32,KL2); RIP3(C,D,E,A,B,WL33,SL33,KL2); RIP3(B,C,D,E,A,WL34,SL34,KL2); RIP3(A,B,C,D,E,WL35,SL35,KL2); RIP3(E,A,B,C,D,WL36,SL36,KL2); RIP3(D,E,A,B,C,WL37,SL37,KL2); RIP3(C,D,E,A,B,WL38,SL38,KL2); RIP3(B,C,D,E,A,WL39,SL39,KL2); RIP3(A,B,C,D,E,WL40,SL40,KL2); RIP3(E,A,B,C,D,WL41,SL41,KL2); RIP3(D,E,A,B,C,WL42,SL42,KL2); RIP3(C,D,E,A,B,WL43,SL43,KL2); RIP3(B,C,D,E,A,WL44,SL44,KL2); RIP3(A,B,C,D,E,WL45,SL45,KL2); RIP3(E,A,B,C,D,WL46,SL46,KL2); RIP3(D,E,A,B,C,WL47,SL47,KL2); RIP4(C,D,E,A,B,WL48,SL48,KL3); RIP4(B,C,D,E,A,WL49,SL49,KL3); RIP4(A,B,C,D,E,WL50,SL50,KL3); RIP4(E,A,B,C,D,WL51,SL51,KL3); RIP4(D,E,A,B,C,WL52,SL52,KL3); RIP4(C,D,E,A,B,WL53,SL53,KL3); RIP4(B,C,D,E,A,WL54,SL54,KL3); RIP4(A,B,C,D,E,WL55,SL55,KL3); RIP4(E,A,B,C,D,WL56,SL56,KL3); RIP4(D,E,A,B,C,WL57,SL57,KL3); RIP4(C,D,E,A,B,WL58,SL58,KL3); RIP4(B,C,D,E,A,WL59,SL59,KL3); RIP4(A,B,C,D,E,WL60,SL60,KL3); RIP4(E,A,B,C,D,WL61,SL61,KL3); RIP4(D,E,A,B,C,WL62,SL62,KL3); RIP4(C,D,E,A,B,WL63,SL63,KL3); RIP5(B,C,D,E,A,WL64,SL64,KL4); RIP5(A,B,C,D,E,WL65,SL65,KL4); RIP5(E,A,B,C,D,WL66,SL66,KL4); RIP5(D,E,A,B,C,WL67,SL67,KL4); RIP5(C,D,E,A,B,WL68,SL68,KL4); RIP5(B,C,D,E,A,WL69,SL69,KL4); RIP5(A,B,C,D,E,WL70,SL70,KL4); RIP5(E,A,B,C,D,WL71,SL71,KL4); RIP5(D,E,A,B,C,WL72,SL72,KL4); RIP5(C,D,E,A,B,WL73,SL73,KL4); RIP5(B,C,D,E,A,WL74,SL74,KL4); RIP5(A,B,C,D,E,WL75,SL75,KL4); RIP5(E,A,B,C,D,WL76,SL76,KL4); RIP5(D,E,A,B,C,WL77,SL77,KL4); RIP5(C,D,E,A,B,WL78,SL78,KL4); RIP5(B,C,D,E,A,WL79,SL79,KL4); a=A; b=B; c=C; d=D; e=E; /* Do other half */ A=ctx->A; B=ctx->B; C=ctx->C; D=ctx->D; E=ctx->E; RIP5(A,B,C,D,E,WR00,SR00,KR0); RIP5(E,A,B,C,D,WR01,SR01,KR0); RIP5(D,E,A,B,C,WR02,SR02,KR0); RIP5(C,D,E,A,B,WR03,SR03,KR0); RIP5(B,C,D,E,A,WR04,SR04,KR0); RIP5(A,B,C,D,E,WR05,SR05,KR0); RIP5(E,A,B,C,D,WR06,SR06,KR0); RIP5(D,E,A,B,C,WR07,SR07,KR0); RIP5(C,D,E,A,B,WR08,SR08,KR0); RIP5(B,C,D,E,A,WR09,SR09,KR0); RIP5(A,B,C,D,E,WR10,SR10,KR0); RIP5(E,A,B,C,D,WR11,SR11,KR0); RIP5(D,E,A,B,C,WR12,SR12,KR0); RIP5(C,D,E,A,B,WR13,SR13,KR0); RIP5(B,C,D,E,A,WR14,SR14,KR0); RIP5(A,B,C,D,E,WR15,SR15,KR0); RIP4(E,A,B,C,D,WR16,SR16,KR1); RIP4(D,E,A,B,C,WR17,SR17,KR1); RIP4(C,D,E,A,B,WR18,SR18,KR1); RIP4(B,C,D,E,A,WR19,SR19,KR1); RIP4(A,B,C,D,E,WR20,SR20,KR1); RIP4(E,A,B,C,D,WR21,SR21,KR1); RIP4(D,E,A,B,C,WR22,SR22,KR1); RIP4(C,D,E,A,B,WR23,SR23,KR1); RIP4(B,C,D,E,A,WR24,SR24,KR1); RIP4(A,B,C,D,E,WR25,SR25,KR1); RIP4(E,A,B,C,D,WR26,SR26,KR1); RIP4(D,E,A,B,C,WR27,SR27,KR1); RIP4(C,D,E,A,B,WR28,SR28,KR1); RIP4(B,C,D,E,A,WR29,SR29,KR1); RIP4(A,B,C,D,E,WR30,SR30,KR1); RIP4(E,A,B,C,D,WR31,SR31,KR1); RIP3(D,E,A,B,C,WR32,SR32,KR2); RIP3(C,D,E,A,B,WR33,SR33,KR2); RIP3(B,C,D,E,A,WR34,SR34,KR2); RIP3(A,B,C,D,E,WR35,SR35,KR2); RIP3(E,A,B,C,D,WR36,SR36,KR2); RIP3(D,E,A,B,C,WR37,SR37,KR2); RIP3(C,D,E,A,B,WR38,SR38,KR2); RIP3(B,C,D,E,A,WR39,SR39,KR2); RIP3(A,B,C,D,E,WR40,SR40,KR2); RIP3(E,A,B,C,D,WR41,SR41,KR2); RIP3(D,E,A,B,C,WR42,SR42,KR2); RIP3(C,D,E,A,B,WR43,SR43,KR2); RIP3(B,C,D,E,A,WR44,SR44,KR2); RIP3(A,B,C,D,E,WR45,SR45,KR2); RIP3(E,A,B,C,D,WR46,SR46,KR2); RIP3(D,E,A,B,C,WR47,SR47,KR2); RIP2(C,D,E,A,B,WR48,SR48,KR3); RIP2(B,C,D,E,A,WR49,SR49,KR3); RIP2(A,B,C,D,E,WR50,SR50,KR3); RIP2(E,A,B,C,D,WR51,SR51,KR3); RIP2(D,E,A,B,C,WR52,SR52,KR3); RIP2(C,D,E,A,B,WR53,SR53,KR3); RIP2(B,C,D,E,A,WR54,SR54,KR3); RIP2(A,B,C,D,E,WR55,SR55,KR3); RIP2(E,A,B,C,D,WR56,SR56,KR3); RIP2(D,E,A,B,C,WR57,SR57,KR3); RIP2(C,D,E,A,B,WR58,SR58,KR3); RIP2(B,C,D,E,A,WR59,SR59,KR3); RIP2(A,B,C,D,E,WR60,SR60,KR3); RIP2(E,A,B,C,D,WR61,SR61,KR3); RIP2(D,E,A,B,C,WR62,SR62,KR3); RIP2(C,D,E,A,B,WR63,SR63,KR3); RIP1(B,C,D,E,A,WR64,SR64); RIP1(A,B,C,D,E,WR65,SR65); RIP1(E,A,B,C,D,WR66,SR66); RIP1(D,E,A,B,C,WR67,SR67); RIP1(C,D,E,A,B,WR68,SR68); RIP1(B,C,D,E,A,WR69,SR69); RIP1(A,B,C,D,E,WR70,SR70); RIP1(E,A,B,C,D,WR71,SR71); RIP1(D,E,A,B,C,WR72,SR72); RIP1(C,D,E,A,B,WR73,SR73); RIP1(B,C,D,E,A,WR74,SR74); RIP1(A,B,C,D,E,WR75,SR75); RIP1(E,A,B,C,D,WR76,SR76); RIP1(D,E,A,B,C,WR77,SR77); RIP1(C,D,E,A,B,WR78,SR78); RIP1(B,C,D,E,A,WR79,SR79); D =ctx->B+c+D; ctx->B=ctx->C+d+E; ctx->C=ctx->D+e+A; ctx->D=ctx->E+a+B; ctx->E=ctx->A+b+C; ctx->A=D; X+=16; num-=64; if (num <= 0) break; } } #endif void RIPEMD160_Final(md, c) unsigned char *md; RIPEMD160_CTX *c; { int i,j; u_int32_t l; u_int32_t *p; static unsigned char end[4]={0x80,0x00,0x00,0x00}; unsigned char *cp=end; /* c->num should definitly have room for at least one more byte. */ p=c->data; j=c->num; i=j>>2; /* purify often complains about the following line as an * Uninitialized Memory Read. While this can be true, the * following p_c2l macro will reset l when that case is true. * This is because j&0x03 contains the number of 'valid' bytes * already in p[i]. If and only if j&0x03 == 0, the UMR will * occur but this is also the only time p_c2l will do * l= *(cp++) instead of l|= *(cp++) * Many thanks to Alex Tang for pickup this * 'potential bug' */ #ifdef PURIFY if ((j&0x03) == 0) p[i]=0; #endif l=p[i]; p_c2l(cp,l,j&0x03); p[i]=l; i++; /* i is the next 'undefined word' */ if (c->num >= RIPEMD160_LAST_BLOCK) { for (; iNl; p[RIPEMD160_LBLOCK-1]=c->Nh; ripemd160_block(c,p,64); cp=md; l=c->A; l2c(l,cp); l=c->B; l2c(l,cp); l=c->C; l2c(l,cp); l=c->D; l2c(l,cp); l=c->E; l2c(l,cp); - /* clear stuff, ripemd160_block may be leaving some stuff on the stack - * but I'm not worried :-) */ - c->num=0; -/* memset((char *)&c,0,sizeof(c));*/ + /* Clear the context state */ + explicit_bzero(&c, sizeof(c)); } #ifdef undef int printit(l) unsigned long *l; { int i,ii; for (i=0; i<2; i++) { for (ii=0; ii<8; ii++) { fprintf(stderr,"%08lx ",l[i*8+ii]); } fprintf(stderr,"\n"); } } #endif #ifdef WEAK_REFS /* When building libmd, provide weak references. Note: this is not activated in the context of compiling these sources for internal use in libcrypt. */ #undef RIPEMD160_Init __weak_reference(_libmd_RIPEMD160_Init, RIPEMD160_Init); #undef RIPEMD160_Update __weak_reference(_libmd_RIPEMD160_Update, RIPEMD160_Update); #undef RIPEMD160_Final __weak_reference(_libmd_RIPEMD160_Final, RIPEMD160_Final); #undef RIPEMD160_Transform __weak_reference(_libmd_RIPEMD160_Transform, RIPEMD160_Transform); #undef RMD160_version __weak_reference(_libmd_RMD160_version, RMD160_version); #undef ripemd160_block __weak_reference(_libmd_ripemd160_block, ripemd160_block); #endif Index: head/lib/libmd/sha.3 =================================================================== --- head/lib/libmd/sha.3 (revision 336538) +++ head/lib/libmd/sha.3 (revision 336539) @@ -1,186 +1,188 @@ .\" .\" ---------------------------------------------------------------------------- .\" "THE BEER-WARE LICENSE" (Revision 42): .\" wrote this file. As long as you retain this notice you .\" can do whatever you want with this stuff. If we meet some day, and you think .\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp .\" ---------------------------------------------------------------------------- .\" .\" From: Id: mdX.3,v 1.14 1999/02/11 20:31:49 wollman Exp .\" $FreeBSD$ .\" -.Dd April 26, 2016 +.Dd July 20, 2018 .Dt SHA 3 .Os .Sh NAME .Nm SHA_Init , .Nm SHA_Update , .Nm SHA_Final , .Nm SHA_End , .Nm SHA_File , .Nm SHA_FileChunk , .Nm SHA_Data , .Nm SHA1_Init , .Nm SHA1_Update , .Nm SHA1_Final , .Nm SHA1_End , .Nm SHA1_File , .Nm SHA1_FileChunk , .Nm SHA1_Data .Nd calculate the FIPS 160 and 160-1 ``SHA'' message digests .Sh LIBRARY .Lb libmd .Sh SYNOPSIS .In sys/types.h .In sha.h .Ft void .Fn SHA_Init "SHA_CTX *context" .Ft void .Fn SHA_Update "SHA_CTX *context" "const unsigned char *data" "size_t len" .Ft void .Fn SHA_Final "unsigned char digest[20]" "SHA_CTX *context" .Ft "char *" .Fn SHA_End "SHA_CTX *context" "char *buf" .Ft "char *" .Fn SHA_File "const char *filename" "char *buf" .Ft "char *" .Fn SHA_FileChunk "const char *filename" "char *buf" "off_t offset" "off_t length" .Ft "char *" .Fn SHA_Data "const unsigned char *data" "unsigned int len" "char *buf" .Ft void .Fn SHA1_Init "SHA_CTX *context" .Ft void .Fn SHA1_Update "SHA_CTX *context" "const unsigned char *data" "size_t len" .Ft void .Fn SHA1_Final "unsigned char digest[20]" "SHA_CTX *context" .Ft "char *" .Fn SHA1_End "SHA_CTX *context" "char *buf" .Ft "char *" .Fn SHA1_File "const char *filename" "char *buf" .Ft "char *" .Fn SHA1_FileChunk "const char *filename" "char *buf" "off_t offset" "off_t length" .Ft "char *" .Fn SHA1_Data "const unsigned char *data" "unsigned int len" "char *buf" .Sh DESCRIPTION The .Li SHA_ and .Li SHA1_ functions calculate a 160-bit cryptographic checksum (digest) for any number of input bytes. A cryptographic checksum is a one-way hash function; that is, it is computationally impractical to find the input corresponding to a particular output. This net result is a .Dq fingerprint of the input-data, which does not disclose the actual input. .Pp .Tn SHA (or .Tn SHA-0 ) is the original Secure Hash Algorithm specified in .Tn FIPS 160. It was quickly proven insecure, and has been superseded by .Tn SHA-1 . .Tn SHA-0 is included for compatibility purposes only. .Pp The .Fn SHA1_Init , .Fn SHA1_Update , and .Fn SHA1_Final functions are the core functions. Allocate an .Vt SHA_CTX , initialize it with .Fn SHA1_Init , run over the data with .Fn SHA1_Update , and finally extract the result using -.Fn SHA1_Final . +.Fn SHA1_Final , +which will also erase the +.Vt SHA_CTX . .Pp .Fn SHA1_End is a wrapper for .Fn SHA1_Final which converts the return value to a 41-character (including the terminating '\e0') .Tn ASCII string which represents the 160 bits in hexadecimal. .Pp .Fn SHA1_File calculates the digest of a file, and uses .Fn SHA1_End to return the result. If the file cannot be opened, a null pointer is returned. .Fn SHA1_FileChunk is similar to .Fn SHA1_File , but it only calculates the digest over a byte-range of the file specified, starting at .Fa offset and spanning .Fa length bytes. If the .Fa length parameter is specified as 0, or more than the length of the remaining part of the file, .Fn SHA1_FileChunk calculates the digest from .Fa offset to the end of file. .Fn SHA1_Data calculates the digest of a chunk of data in memory, and uses .Fn SHA1_End to return the result. .Pp When using .Fn SHA1_End , .Fn SHA1_File , or .Fn SHA1_Data , the .Fa buf argument can be a null pointer, in which case the returned string is allocated with .Xr malloc 3 and subsequently must be explicitly deallocated using .Xr free 3 after use. If the .Fa buf argument is non-null it must point to at least 41 characters of buffer space. .Sh SEE ALSO .Xr md4 3 , .Xr md5 3 , .Xr ripemd 3 , .Xr sha256 3 , .Xr sha512 3 , .Xr skein 3 .Sh HISTORY These functions appeared in .Fx 4.0 . .Sh AUTHORS The core hash routines were implemented by Eric Young based on the published .Tn FIPS standards. .Sh BUGS No method is known to exist which finds two files having the same hash value, nor to find a file with a specific hash value. There is on the other hand no guarantee that such a method does not exist. .Pp The .Tn IA32 (Intel) implementation of .Tn SHA-1 makes heavy use of the .Ql bswapl instruction, which is not present on the original 80386. Attempts to use .Tn SHA-1 on those processors will cause an illegal instruction trap. (Arguably, the kernel should simply emulate this instruction.) Index: head/lib/libmd/sha0c.c =================================================================== --- head/lib/libmd/sha0c.c (revision 336538) +++ head/lib/libmd/sha0c.c (revision 336539) @@ -1,454 +1,452 @@ /* crypto/sha/sha_dgst.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include __FBSDID("$FreeBSD$"); #include #include #include #if 0 #include /* we use the __ variants of bit-sized types */ #endif #include #define SHA_0 #undef SHA_1 #include "sha.h" #include "sha_locl.h" char *SHA_version="SHA part of SSLeay 0.9.0b 11-Oct-1998"; /* Implemented from SHA-0 document - The Secure Hash Algorithm */ #define INIT_DATA_h0 (unsigned long)0x67452301L #define INIT_DATA_h1 (unsigned long)0xefcdab89L #define INIT_DATA_h2 (unsigned long)0x98badcfeL #define INIT_DATA_h3 (unsigned long)0x10325476L #define INIT_DATA_h4 (unsigned long)0xc3d2e1f0L #define K_00_19 0x5a827999L #define K_20_39 0x6ed9eba1L #define K_40_59 0x8f1bbcdcL #define K_60_79 0xca62c1d6L #ifndef NOPROTO void sha_block(SHA_CTX *c, const u_int32_t *p, int num); #else void sha_block(); #endif #define M_c2nl c2nl #define M_p_c2nl p_c2nl #define M_c2nl_p c2nl_p #define M_p_c2nl_p p_c2nl_p #define M_nl2c nl2c void SHA_Init(c) SHA_CTX *c; { c->h0=INIT_DATA_h0; c->h1=INIT_DATA_h1; c->h2=INIT_DATA_h2; c->h3=INIT_DATA_h3; c->h4=INIT_DATA_h4; c->Nl=0; c->Nh=0; c->num=0; } void SHA_Update(c, in, len) SHA_CTX *c; const void *in; size_t len; { u_int32_t *p; int ew,ec,sw,sc; u_int32_t l; const unsigned char *data = in; if (len == 0) return; l=(c->Nl+(len<<3))&0xffffffffL; if (l < c->Nl) /* overflow */ c->Nh++; c->Nh+=(len>>29); c->Nl=l; if (c->num != 0) { p=c->data; sw=c->num>>2; sc=c->num&0x03; if ((c->num+len) >= SHA_CBLOCK) { l= p[sw]; M_p_c2nl(data,l,sc); p[sw++]=l; for (; swnum); sha_block(c,p,64); c->num=0; /* drop through and do the rest */ } else { c->num+=(int)len; if ((sc+len) < 4) /* ugly, add char's to a word */ { l= p[sw]; M_p_c2nl_p(data,l,sc,len); p[sw]=l; } else { ew=(c->num>>2); ec=(c->num&0x03); l= p[sw]; M_p_c2nl(data,l,sc); p[sw++]=l; for (; sw < ew; sw++) { M_c2nl(data,l); p[sw]=l; } if (ec) { M_c2nl_p(data,l,ec); p[sw]=l; } } return; } } /* We can only do the following code for assember, the reason * being that the sha_block 'C' version changes the values * in the 'data' array. The assember code avoids this and * copies it to a local array. I should be able to do this for * the C version as well.... */ #if 1 #if BYTE_ORDER == BIG_ENDIAN || defined(SHA_ASM) if ((((unsigned int)data)%sizeof(u_int32_t)) == 0) { sw=len/SHA_CBLOCK; if (sw) { sw*=SHA_CBLOCK; sha_block(c,(u_int32_t *)data,sw); data+=sw; len-=sw; } } #endif #endif /* we now can process the input data in blocks of SHA_CBLOCK * chars and save the leftovers to c->data. */ p=c->data; while (len >= SHA_CBLOCK) { #if BYTE_ORDER == BIG_ENDIAN || BYTE_ORDER == LITTLE_ENDIAN if (p != (u_int32_t *)data) memcpy(p,data,SHA_CBLOCK); data+=SHA_CBLOCK; # if BYTE_ORDER == LITTLE_ENDIAN # ifndef SHA_ASM /* Will not happen */ for (sw=(SHA_LBLOCK/4); sw; sw--) { Endian_Reverse32(p[0]); Endian_Reverse32(p[1]); Endian_Reverse32(p[2]); Endian_Reverse32(p[3]); p+=4; } p=c->data; # endif # endif #else for (sw=(SHA_BLOCK/4); sw; sw--) { M_c2nl(data,l); *(p++)=l; M_c2nl(data,l); *(p++)=l; M_c2nl(data,l); *(p++)=l; M_c2nl(data,l); *(p++)=l; } p=c->data; #endif sha_block(c,p,64); len-=SHA_CBLOCK; } ec=(int)len; c->num=ec; ew=(ec>>2); ec&=0x03; for (sw=0; sw < ew; sw++) { M_c2nl(data,l); p[sw]=l; } M_c2nl_p(data,l,ec); p[sw]=l; } void SHA_Transform(c,b) SHA_CTX *c; unsigned char *b; { u_int32_t p[16]; #if BYTE_ORDER == LITTLE_ENDIAN u_int32_t *q; int i; #endif #if BYTE_ORDER == BIG_ENDIAN || BYTE_ORDER == LITTLE_ENDIAN memcpy(p,b,64); #if BYTE_ORDER == LITTLE_ENDIAN q=p; for (i=(SHA_LBLOCK/4); i; i--) { Endian_Reverse32(q[0]); Endian_Reverse32(q[1]); Endian_Reverse32(q[2]); Endian_Reverse32(q[3]); q+=4; } #endif #else q=p; for (i=(SHA_LBLOCK/4); i; i--) { u_int32_t l; c2nl(b,l); *(q++)=l; c2nl(b,l); *(q++)=l; c2nl(b,l); *(q++)=l; c2nl(b,l); *(q++)=l; } #endif sha_block(c,p,64); } void sha_block(c, W, num) SHA_CTX *c; const u_int32_t *W; int num; { u_int32_t A,B,C,D,E,T; u_int32_t X[16]; A=c->h0; B=c->h1; C=c->h2; D=c->h3; E=c->h4; for (;;) { BODY_00_15( 0,A,B,C,D,E,T,W); BODY_00_15( 1,T,A,B,C,D,E,W); BODY_00_15( 2,E,T,A,B,C,D,W); BODY_00_15( 3,D,E,T,A,B,C,W); BODY_00_15( 4,C,D,E,T,A,B,W); BODY_00_15( 5,B,C,D,E,T,A,W); BODY_00_15( 6,A,B,C,D,E,T,W); BODY_00_15( 7,T,A,B,C,D,E,W); BODY_00_15( 8,E,T,A,B,C,D,W); BODY_00_15( 9,D,E,T,A,B,C,W); BODY_00_15(10,C,D,E,T,A,B,W); BODY_00_15(11,B,C,D,E,T,A,W); BODY_00_15(12,A,B,C,D,E,T,W); BODY_00_15(13,T,A,B,C,D,E,W); BODY_00_15(14,E,T,A,B,C,D,W); BODY_00_15(15,D,E,T,A,B,C,W); BODY_16_19(16,C,D,E,T,A,B,W,W,W,W); BODY_16_19(17,B,C,D,E,T,A,W,W,W,W); BODY_16_19(18,A,B,C,D,E,T,W,W,W,W); BODY_16_19(19,T,A,B,C,D,E,W,W,W,X); BODY_20_31(20,E,T,A,B,C,D,W,W,W,X); BODY_20_31(21,D,E,T,A,B,C,W,W,W,X); BODY_20_31(22,C,D,E,T,A,B,W,W,W,X); BODY_20_31(23,B,C,D,E,T,A,W,W,W,X); BODY_20_31(24,A,B,C,D,E,T,W,W,X,X); BODY_20_31(25,T,A,B,C,D,E,W,W,X,X); BODY_20_31(26,E,T,A,B,C,D,W,W,X,X); BODY_20_31(27,D,E,T,A,B,C,W,W,X,X); BODY_20_31(28,C,D,E,T,A,B,W,W,X,X); BODY_20_31(29,B,C,D,E,T,A,W,W,X,X); BODY_20_31(30,A,B,C,D,E,T,W,X,X,X); BODY_20_31(31,T,A,B,C,D,E,W,X,X,X); BODY_32_39(32,E,T,A,B,C,D,X); BODY_32_39(33,D,E,T,A,B,C,X); BODY_32_39(34,C,D,E,T,A,B,X); BODY_32_39(35,B,C,D,E,T,A,X); BODY_32_39(36,A,B,C,D,E,T,X); BODY_32_39(37,T,A,B,C,D,E,X); BODY_32_39(38,E,T,A,B,C,D,X); BODY_32_39(39,D,E,T,A,B,C,X); BODY_40_59(40,C,D,E,T,A,B,X); BODY_40_59(41,B,C,D,E,T,A,X); BODY_40_59(42,A,B,C,D,E,T,X); BODY_40_59(43,T,A,B,C,D,E,X); BODY_40_59(44,E,T,A,B,C,D,X); BODY_40_59(45,D,E,T,A,B,C,X); BODY_40_59(46,C,D,E,T,A,B,X); BODY_40_59(47,B,C,D,E,T,A,X); BODY_40_59(48,A,B,C,D,E,T,X); BODY_40_59(49,T,A,B,C,D,E,X); BODY_40_59(50,E,T,A,B,C,D,X); BODY_40_59(51,D,E,T,A,B,C,X); BODY_40_59(52,C,D,E,T,A,B,X); BODY_40_59(53,B,C,D,E,T,A,X); BODY_40_59(54,A,B,C,D,E,T,X); BODY_40_59(55,T,A,B,C,D,E,X); BODY_40_59(56,E,T,A,B,C,D,X); BODY_40_59(57,D,E,T,A,B,C,X); BODY_40_59(58,C,D,E,T,A,B,X); BODY_40_59(59,B,C,D,E,T,A,X); BODY_60_79(60,A,B,C,D,E,T,X); BODY_60_79(61,T,A,B,C,D,E,X); BODY_60_79(62,E,T,A,B,C,D,X); BODY_60_79(63,D,E,T,A,B,C,X); BODY_60_79(64,C,D,E,T,A,B,X); BODY_60_79(65,B,C,D,E,T,A,X); BODY_60_79(66,A,B,C,D,E,T,X); BODY_60_79(67,T,A,B,C,D,E,X); BODY_60_79(68,E,T,A,B,C,D,X); BODY_60_79(69,D,E,T,A,B,C,X); BODY_60_79(70,C,D,E,T,A,B,X); BODY_60_79(71,B,C,D,E,T,A,X); BODY_60_79(72,A,B,C,D,E,T,X); BODY_60_79(73,T,A,B,C,D,E,X); BODY_60_79(74,E,T,A,B,C,D,X); BODY_60_79(75,D,E,T,A,B,C,X); BODY_60_79(76,C,D,E,T,A,B,X); BODY_60_79(77,B,C,D,E,T,A,X); BODY_60_79(78,A,B,C,D,E,T,X); BODY_60_79(79,T,A,B,C,D,E,X); c->h0=(c->h0+E)&0xffffffffL; c->h1=(c->h1+T)&0xffffffffL; c->h2=(c->h2+A)&0xffffffffL; c->h3=(c->h3+B)&0xffffffffL; c->h4=(c->h4+C)&0xffffffffL; num-=64; if (num <= 0) break; A=c->h0; B=c->h1; C=c->h2; D=c->h3; E=c->h4; W+=16; } } void SHA_Final(md, c) unsigned char *md; SHA_CTX *c; { int i,j; u_int32_t l; u_int32_t *p; static unsigned char end[4]={0x80,0x00,0x00,0x00}; unsigned char *cp=end; /* c->num should definitly have room for at least one more byte. */ p=c->data; j=c->num; i=j>>2; #ifdef PURIFY if ((j&0x03) == 0) p[i]=0; #endif l=p[i]; M_p_c2nl(cp,l,j&0x03); p[i]=l; i++; /* i is the next 'undefined word' */ if (c->num >= SHA_LAST_BLOCK) { for (; iNh; p[SHA_LBLOCK-1]=c->Nl; sha_block(c,p,64); cp=md; l=c->h0; nl2c(l,cp); l=c->h1; nl2c(l,cp); l=c->h2; nl2c(l,cp); l=c->h3; nl2c(l,cp); l=c->h4; nl2c(l,cp); - /* clear stuff, sha_block may be leaving some stuff on the stack - * but I'm not worried :-) */ - c->num=0; -/* memset((char *)&c,0,sizeof(c));*/ + /* Clear the context state */ + explicit_bzero(&c, sizeof(c)); } Index: head/lib/libmd/sha1c.c =================================================================== --- head/lib/libmd/sha1c.c (revision 336538) +++ head/lib/libmd/sha1c.c (revision 336539) @@ -1,520 +1,518 @@ /* crypto/sha/sha1dgst.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include __FBSDID("$FreeBSD$"); #include #include #include #if 0 #include /* we use the __ variants of bit-sized types */ #endif #include #undef SHA_0 #define SHA_1 #include "sha.h" #include "sha_locl.h" /* * The assembly-language code is not position-independent, so don't * try to use it in a shared library. */ #ifdef PIC #undef SHA1_ASM #endif char *SHA1_version="SHA1 part of SSLeay 0.9.0b 11-Oct-1998"; /* Implemented from SHA-1 document - The Secure Hash Algorithm */ #define INIT_DATA_h0 (unsigned long)0x67452301L #define INIT_DATA_h1 (unsigned long)0xefcdab89L #define INIT_DATA_h2 (unsigned long)0x98badcfeL #define INIT_DATA_h3 (unsigned long)0x10325476L #define INIT_DATA_h4 (unsigned long)0xc3d2e1f0L #define K_00_19 0x5a827999L #define K_20_39 0x6ed9eba1L #define K_40_59 0x8f1bbcdcL #define K_60_79 0xca62c1d6L #ifndef NOPROTO # ifdef SHA1_ASM void sha1_block_x86(SHA_CTX *c, const u_int32_t *p, int num); # define sha1_block sha1_block_x86 # else void sha1_block(SHA_CTX *c, const u_int32_t *p, int num); # endif #else # ifdef SHA1_ASM void sha1_block_x86(); # define sha1_block sha1_block_x86 # else void sha1_block(); # endif #endif #if BYTE_ORDER == LITTLE_ENDIAN && defined(SHA1_ASM) # define M_c2nl c2l # define M_p_c2nl p_c2l # define M_c2nl_p c2l_p # define M_p_c2nl_p p_c2l_p # define M_nl2c l2c #else # define M_c2nl c2nl # define M_p_c2nl p_c2nl # define M_c2nl_p c2nl_p # define M_p_c2nl_p p_c2nl_p # define M_nl2c nl2c #endif void SHA1_Init(c) SHA_CTX *c; { c->h0=INIT_DATA_h0; c->h1=INIT_DATA_h1; c->h2=INIT_DATA_h2; c->h3=INIT_DATA_h3; c->h4=INIT_DATA_h4; c->Nl=0; c->Nh=0; c->num=0; } void SHA1_Update(c, in, len) SHA_CTX *c; const void *in; size_t len; { u_int32_t *p; int ew,ec,sw,sc; u_int32_t l; const unsigned char *data = in; if (len == 0) return; l=(c->Nl+(len<<3))&0xffffffffL; if (l < c->Nl) /* overflow */ c->Nh++; c->Nh+=(len>>29); c->Nl=l; if (c->num != 0) { p=c->data; sw=c->num>>2; sc=c->num&0x03; if ((c->num+len) >= SHA_CBLOCK) { l= p[sw]; M_p_c2nl(data,l,sc); p[sw++]=l; for (; swnum); sha1_block(c,p,64); c->num=0; /* drop through and do the rest */ } else { c->num+=(int)len; if ((sc+len) < 4) /* ugly, add char's to a word */ { l= p[sw]; M_p_c2nl_p(data,l,sc,len); p[sw]=l; } else { ew=(c->num>>2); ec=(c->num&0x03); l= p[sw]; M_p_c2nl(data,l,sc); p[sw++]=l; for (; sw < ew; sw++) { M_c2nl(data,l); p[sw]=l; } if (ec) { M_c2nl_p(data,l,ec); p[sw]=l; } } return; } } /* We can only do the following code for assember, the reason * being that the sha1_block 'C' version changes the values * in the 'data' array. The assember code avoids this and * copies it to a local array. I should be able to do this for * the C version as well.... */ #if 1 #if BYTE_ORDER == BIG_ENDIAN || defined(SHA1_ASM) if ((((unsigned int)data)%sizeof(u_int32_t)) == 0) { sw=len/SHA_CBLOCK; if (sw) { sw*=SHA_CBLOCK; sha1_block(c,(u_int32_t *)data,sw); data+=sw; len-=sw; } } #endif #endif /* we now can process the input data in blocks of SHA_CBLOCK * chars and save the leftovers to c->data. */ p=c->data; while (len >= SHA_CBLOCK) { #if BYTE_ORDER == BIG_ENDIAN || BYTE_ORDER == LITTLE_ENDIAN if (p != (u_int32_t *)data) memcpy(p,data,SHA_CBLOCK); data+=SHA_CBLOCK; # if BYTE_ORDER == LITTLE_ENDIAN # ifndef SHA1_ASM /* Will not happen */ for (sw=(SHA_LBLOCK/4); sw; sw--) { Endian_Reverse32(p[0]); Endian_Reverse32(p[1]); Endian_Reverse32(p[2]); Endian_Reverse32(p[3]); p+=4; } p=c->data; # endif # endif #else for (sw=(SHA_BLOCK/4); sw; sw--) { M_c2nl(data,l); *(p++)=l; M_c2nl(data,l); *(p++)=l; M_c2nl(data,l); *(p++)=l; M_c2nl(data,l); *(p++)=l; } p=c->data; #endif sha1_block(c,p,64); len-=SHA_CBLOCK; } ec=(int)len; c->num=ec; ew=(ec>>2); ec&=0x03; for (sw=0; sw < ew; sw++) { M_c2nl(data,l); p[sw]=l; } M_c2nl_p(data,l,ec); p[sw]=l; } void SHA1_Transform(c,b) SHA_CTX *c; unsigned char *b; { u_int32_t p[16]; #if BYTE_ORDER != BIG_ENDIAN u_int32_t *q; int i; #endif #if BYTE_ORDER == BIG_ENDIAN || BYTE_ORDER == LITTLE_ENDIAN memcpy(p,b,64); #if BYTE_ORDER == LITTLE_ENDIAN q=p; for (i=(SHA_LBLOCK/4); i; i--) { Endian_Reverse32(q[0]); Endian_Reverse32(q[1]); Endian_Reverse32(q[2]); Endian_Reverse32(q[3]); q+=4; } #endif #else q=p; for (i=(SHA_LBLOCK/4); i; i--) { u_int32_t l; c2nl(b,l); *(q++)=l; c2nl(b,l); *(q++)=l; c2nl(b,l); *(q++)=l; c2nl(b,l); *(q++)=l; } #endif sha1_block(c,p,64); } #ifndef SHA1_ASM void sha1_block(c, W, num) SHA_CTX *c; const u_int32_t *W; int num; { u_int32_t A,B,C,D,E,T; u_int32_t X[16]; A=c->h0; B=c->h1; C=c->h2; D=c->h3; E=c->h4; for (;;) { BODY_00_15( 0,A,B,C,D,E,T,W); BODY_00_15( 1,T,A,B,C,D,E,W); BODY_00_15( 2,E,T,A,B,C,D,W); BODY_00_15( 3,D,E,T,A,B,C,W); BODY_00_15( 4,C,D,E,T,A,B,W); BODY_00_15( 5,B,C,D,E,T,A,W); BODY_00_15( 6,A,B,C,D,E,T,W); BODY_00_15( 7,T,A,B,C,D,E,W); BODY_00_15( 8,E,T,A,B,C,D,W); BODY_00_15( 9,D,E,T,A,B,C,W); BODY_00_15(10,C,D,E,T,A,B,W); BODY_00_15(11,B,C,D,E,T,A,W); BODY_00_15(12,A,B,C,D,E,T,W); BODY_00_15(13,T,A,B,C,D,E,W); BODY_00_15(14,E,T,A,B,C,D,W); BODY_00_15(15,D,E,T,A,B,C,W); BODY_16_19(16,C,D,E,T,A,B,W,W,W,W); BODY_16_19(17,B,C,D,E,T,A,W,W,W,W); BODY_16_19(18,A,B,C,D,E,T,W,W,W,W); BODY_16_19(19,T,A,B,C,D,E,W,W,W,X); BODY_20_31(20,E,T,A,B,C,D,W,W,W,X); BODY_20_31(21,D,E,T,A,B,C,W,W,W,X); BODY_20_31(22,C,D,E,T,A,B,W,W,W,X); BODY_20_31(23,B,C,D,E,T,A,W,W,W,X); BODY_20_31(24,A,B,C,D,E,T,W,W,X,X); BODY_20_31(25,T,A,B,C,D,E,W,W,X,X); BODY_20_31(26,E,T,A,B,C,D,W,W,X,X); BODY_20_31(27,D,E,T,A,B,C,W,W,X,X); BODY_20_31(28,C,D,E,T,A,B,W,W,X,X); BODY_20_31(29,B,C,D,E,T,A,W,W,X,X); BODY_20_31(30,A,B,C,D,E,T,W,X,X,X); BODY_20_31(31,T,A,B,C,D,E,W,X,X,X); BODY_32_39(32,E,T,A,B,C,D,X); BODY_32_39(33,D,E,T,A,B,C,X); BODY_32_39(34,C,D,E,T,A,B,X); BODY_32_39(35,B,C,D,E,T,A,X); BODY_32_39(36,A,B,C,D,E,T,X); BODY_32_39(37,T,A,B,C,D,E,X); BODY_32_39(38,E,T,A,B,C,D,X); BODY_32_39(39,D,E,T,A,B,C,X); BODY_40_59(40,C,D,E,T,A,B,X); BODY_40_59(41,B,C,D,E,T,A,X); BODY_40_59(42,A,B,C,D,E,T,X); BODY_40_59(43,T,A,B,C,D,E,X); BODY_40_59(44,E,T,A,B,C,D,X); BODY_40_59(45,D,E,T,A,B,C,X); BODY_40_59(46,C,D,E,T,A,B,X); BODY_40_59(47,B,C,D,E,T,A,X); BODY_40_59(48,A,B,C,D,E,T,X); BODY_40_59(49,T,A,B,C,D,E,X); BODY_40_59(50,E,T,A,B,C,D,X); BODY_40_59(51,D,E,T,A,B,C,X); BODY_40_59(52,C,D,E,T,A,B,X); BODY_40_59(53,B,C,D,E,T,A,X); BODY_40_59(54,A,B,C,D,E,T,X); BODY_40_59(55,T,A,B,C,D,E,X); BODY_40_59(56,E,T,A,B,C,D,X); BODY_40_59(57,D,E,T,A,B,C,X); BODY_40_59(58,C,D,E,T,A,B,X); BODY_40_59(59,B,C,D,E,T,A,X); BODY_60_79(60,A,B,C,D,E,T,X); BODY_60_79(61,T,A,B,C,D,E,X); BODY_60_79(62,E,T,A,B,C,D,X); BODY_60_79(63,D,E,T,A,B,C,X); BODY_60_79(64,C,D,E,T,A,B,X); BODY_60_79(65,B,C,D,E,T,A,X); BODY_60_79(66,A,B,C,D,E,T,X); BODY_60_79(67,T,A,B,C,D,E,X); BODY_60_79(68,E,T,A,B,C,D,X); BODY_60_79(69,D,E,T,A,B,C,X); BODY_60_79(70,C,D,E,T,A,B,X); BODY_60_79(71,B,C,D,E,T,A,X); BODY_60_79(72,A,B,C,D,E,T,X); BODY_60_79(73,T,A,B,C,D,E,X); BODY_60_79(74,E,T,A,B,C,D,X); BODY_60_79(75,D,E,T,A,B,C,X); BODY_60_79(76,C,D,E,T,A,B,X); BODY_60_79(77,B,C,D,E,T,A,X); BODY_60_79(78,A,B,C,D,E,T,X); BODY_60_79(79,T,A,B,C,D,E,X); c->h0=(c->h0+E)&0xffffffffL; c->h1=(c->h1+T)&0xffffffffL; c->h2=(c->h2+A)&0xffffffffL; c->h3=(c->h3+B)&0xffffffffL; c->h4=(c->h4+C)&0xffffffffL; num-=64; if (num <= 0) break; A=c->h0; B=c->h1; C=c->h2; D=c->h3; E=c->h4; W+=16; } } #endif void SHA1_Final(md, c) unsigned char *md; SHA_CTX *c; { int i,j; u_int32_t l; u_int32_t *p; static unsigned char end[4]={0x80,0x00,0x00,0x00}; unsigned char *cp=end; /* c->num should definitly have room for at least one more byte. */ p=c->data; j=c->num; i=j>>2; #ifdef PURIFY if ((j&0x03) == 0) p[i]=0; #endif l=p[i]; M_p_c2nl(cp,l,j&0x03); p[i]=l; i++; /* i is the next 'undefined word' */ if (c->num >= SHA_LAST_BLOCK) { for (; iNh; p[SHA_LBLOCK-1]=c->Nl; #if BYTE_ORDER == LITTLE_ENDIAN && defined(SHA1_ASM) Endian_Reverse32(p[SHA_LBLOCK-2]); Endian_Reverse32(p[SHA_LBLOCK-1]); #endif sha1_block(c,p,64); cp=md; l=c->h0; nl2c(l,cp); l=c->h1; nl2c(l,cp); l=c->h2; nl2c(l,cp); l=c->h3; nl2c(l,cp); l=c->h4; nl2c(l,cp); - /* clear stuff, sha1_block may be leaving some stuff on the stack - * but I'm not worried :-) */ - c->num=0; -/* memset((char *)&c,0,sizeof(c));*/ + /* Clear the context state */ + explicit_bzero(&c, sizeof(c)); } #ifdef WEAK_REFS /* When building libmd, provide weak references. Note: this is not activated in the context of compiling these sources for internal use in libcrypt. */ #undef SHA_Init __weak_reference(_libmd_SHA_Init, SHA_Init); #undef SHA_Update __weak_reference(_libmd_SHA_Update, SHA_Update); #undef SHA_Final __weak_reference(_libmd_SHA_Final, SHA_Final); #undef SHA_Transform __weak_reference(_libmd_SHA_Transform, SHA_Transform); #undef SHA_version __weak_reference(_libmd_SHA_version, SHA_version); #undef sha_block __weak_reference(_libmd_sha_block, sha_block); #undef SHA1_Init __weak_reference(_libmd_SHA1_Init, SHA1_Init); #undef SHA1_Update __weak_reference(_libmd_SHA1_Update, SHA1_Update); #undef SHA1_Final __weak_reference(_libmd_SHA1_Final, SHA1_Final); #undef SHA1_Transform __weak_reference(_libmd_SHA1_Transform, SHA1_Transform); #undef SHA1_version __weak_reference(_libmd_SHA1_version, SHA1_version); #undef sha1_block __weak_reference(_libmd_sha1_block, sha1_block); #endif Index: head/lib/libmd/sha256.3 =================================================================== --- head/lib/libmd/sha256.3 (revision 336538) +++ head/lib/libmd/sha256.3 (revision 336539) @@ -1,165 +1,167 @@ .\" .\" ---------------------------------------------------------------------------- .\" "THE BEER-WARE LICENSE" (Revision 42): .\" wrote this file. As long as you retain this notice you .\" can do whatever you want with this stuff. If we meet some day, and you think .\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp .\" ---------------------------------------------------------------------------- .\" .\" From: Id: mdX.3,v 1.14 1999/02/11 20:31:49 wollman Exp .\" $FreeBSD$ .\" -.Dd July 9, 2018 +.Dd July 20, 2018 .Dt SHA256 3 .Os .Sh NAME .Nm SHA224_Init , .Nm SHA224_Update , .Nm SHA224_Final , .Nm SHA224_End , .Nm SHA224_File , .Nm SHA224_FileChunk , .Nm SHA224_Data , .Nm SHA256_Init , .Nm SHA256_Update , .Nm SHA256_Final , .Nm SHA256_End , .Nm SHA256_File , .Nm SHA256_FileChunk , .Nm SHA256_Data .Nd calculate the FIPS 180-2 ``SHA-256'' (or SHA-224) message digest .Sh LIBRARY .Lb libmd .Sh SYNOPSIS .In sys/types.h .In sha224.h .Ft void .Fn SHA224_Init "SHA224_CTX *context" .Ft void .Fn SHA224_Update "SHA224_CTX *context" "const unsigned char *data" "size_t len" .Ft void .Fn SHA224_Final "unsigned char digest[32]" "SHA224_CTX *context" .Ft "char *" .Fn SHA224_End "SHA224_CTX *context" "char *buf" .Ft "char *" .Fn SHA224_File "const char *filename" "char *buf" .Ft "char *" .Fn SHA224_FileChunk "const char *filename" "char *buf" "off_t offset" "off_t length" .Ft "char *" .Fn SHA224_Data "const unsigned char *data" "unsigned int len" "char *buf" .In sha256.h .Ft void .Fn SHA256_Init "SHA256_CTX *context" .Ft void .Fn SHA256_Update "SHA256_CTX *context" "const unsigned char *data" "size_t len" .Ft void .Fn SHA256_Final "unsigned char digest[32]" "SHA256_CTX *context" .Ft "char *" .Fn SHA256_End "SHA256_CTX *context" "char *buf" .Ft "char *" .Fn SHA256_File "const char *filename" "char *buf" .Ft "char *" .Fn SHA256_FileChunk "const char *filename" "char *buf" "off_t offset" "off_t length" .Ft "char *" .Fn SHA256_Data "const unsigned char *data" "unsigned int len" "char *buf" .Sh DESCRIPTION The .Li SHA256_ functions calculate a 256-bit cryptographic checksum (digest) for any number of input bytes. A cryptographic checksum is a one-way hash function; that is, it is computationally impractical to find the input corresponding to a particular output. This net result is a .Dq fingerprint of the input-data, which does not disclose the actual input. .Pp The .Fn SHA256_Init , .Fn SHA256_Update , and .Fn SHA256_Final functions are the core functions. Allocate an .Vt SHA256_CTX , initialize it with .Fn SHA256_Init , run over the data with .Fn SHA256_Update , and finally extract the result using -.Fn SHA256_Final . +.Fn SHA256_Final , +which will also erase the +.Vt SHA256_CTX . .Pp .Fn SHA256_End is a wrapper for .Fn SHA256_Final which converts the return value to a 65-character (including the terminating '\e0') .Tn ASCII string which represents the 256 bits in hexadecimal. .Pp .Fn SHA256_File calculates the digest of a file, and uses .Fn SHA256_End to return the result. If the file cannot be opened, a null pointer is returned. .Fn SHA256_FileChunk is similar to .Fn SHA256_File , but it only calculates the digest over a byte-range of the file specified, starting at .Fa offset and spanning .Fa length bytes. If the .Fa length parameter is specified as 0, or more than the length of the remaining part of the file, .Fn SHA256_FileChunk calculates the digest from .Fa offset to the end of file. .Fn SHA256_Data calculates the digest of a chunk of data in memory, and uses .Fn SHA256_End to return the result. .Pp When using .Fn SHA256_End , .Fn SHA256_File , or .Fn SHA256_Data , the .Fa buf argument can be a null pointer, in which case the returned string is allocated with .Xr malloc 3 and subsequently must be explicitly deallocated using .Xr free 3 after use. If the .Fa buf argument is non-null it must point to at least 65 characters of buffer space. .Pp SHA224 is identical SHA256, except it has slightly different initialization vectors, and is truncated to a shorter digest. .Sh SEE ALSO .Xr md4 3 , .Xr md5 3 , .Xr ripemd 3 , .Xr sha 3 , .Xr sha512 3 , .Xr skein 3 .Sh HISTORY These functions appeared in .Fx 6.0 . .Sh AUTHORS The core hash routines were implemented by Colin Percival based on the published .Tn FIPS 180-2 standard. .Sh BUGS No method is known to exist which finds two files having the same hash value, nor to find a file with a specific hash value. There is on the other hand no guarantee that such a method does not exist. Index: head/lib/libmd/sha512.3 =================================================================== --- head/lib/libmd/sha512.3 (revision 336538) +++ head/lib/libmd/sha512.3 (revision 336539) @@ -1,210 +1,212 @@ .\" .\" ---------------------------------------------------------------------------- .\" "THE BEER-WARE LICENSE" (Revision 42): .\" wrote this file. As long as you retain this notice you .\" can do whatever you want with this stuff. If we meet some day, and you think .\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp .\" ---------------------------------------------------------------------------- .\" .\" From: Id: mdX.3,v 1.14 1999/02/11 20:31:49 wollman Exp .\" $FreeBSD$ .\" -.Dd April 22, 2016 +.Dd July 20, 2018 .Dt SHA512 3 .Os .Sh NAME .Nm SHA512_Init , .Nm SHA512_Update , .Nm SHA512_Final , .Nm SHA512_End , .Nm SHA512_File , .Nm SHA512_FileChunk , .Nm SHA512_Data , .Nm SHA384_Init , .Nm SHA384_Update , .Nm SHA384_Final , .Nm SHA384_End , .Nm SHA384_File , .Nm SHA384_FileChunk , .Nm SHA384_Data , .Nm SHA512_256_Init , .Nm SHA512_256_Update , .Nm SHA512_256_Final , .Nm SHA512_256_End , .Nm SHA512_256_File , .Nm SHA512_256_FileChunk , .Nm SHA512_256_Data .Nd calculate the FIPS 180-4 ``SHA-512'' family of message digests .Sh LIBRARY .Lb libmd .Sh SYNOPSIS .In sys/types.h .In sha512.h .Ft void .Fn SHA512_Init "SHA512_CTX *context" .Ft void .Fn SHA512_Update "SHA512_CTX *context" "const unsigned char *data" "size_t len" .Ft void .Fn SHA512_Final "unsigned char digest[64]" "SHA512_CTX *context" .Ft "char *" .Fn SHA512_End "SHA512_CTX *context" "char *buf" .Ft "char *" .Fn SHA512_File "const char *filename" "char *buf" .Ft "char *" .Fn SHA512_FileChunk "const char *filename" "char *buf" "off_t offset" "off_t length" .Ft "char *" .Fn SHA512_Data "const unsigned char *data" "unsigned int len" "char *buf" .In sha384.h .Ft void .Fn SHA384_Init "SHA384_CTX *context" .Ft void .Fn SHA384_Update "SHA384_CTX *context" "const unsigned char *data" "size_t len" .Ft void .Fn SHA384_Final "unsigned char digest[48]" "SHA384_CTX *context" .Ft "char *" .Fn SHA384_End "SHA384_CTX *context" "char *buf" .Ft "char *" .Fn SHA384_File "const char *filename" "char *buf" .Ft "char *" .Fn SHA384_FileChunk "const char *filename" "char *buf" "off_t offset" "off_t length" .Ft "char *" .Fn SHA384_Data "const unsigned char *data" "unsigned int len" "char *buf" .In sha512t.h .Ft void .Fn SHA512_256_Init "SHA512_CTX *context" .Ft void .Fn SHA512_256_Update "SHA512_CTX *context" "const unsigned char *data" "size_t len" .Ft void .Fn SHA512_256_Final "unsigned char digest[32]" "SHA512_CTX *context" .Ft "char *" .Fn SHA512_256_End "SHA512_CTX *context" "char *buf" .Ft "char *" .Fn SHA512_256_File "const char *filename" "char *buf" .Ft "char *" .Fn SHA512_256_FileChunk "const char *filename" "char *buf" "off_t offset" "off_t length" .Ft "char *" .Fn SHA512_256_Data "const unsigned char *data" "unsigned int len" "char *buf" .Sh DESCRIPTION The .Li SHA512_ functions calculate a 512-bit cryptographic checksum (digest) for any number of input bytes. A cryptographic checksum is a one-way hash function; that is, it is computationally impractical to find the input corresponding to a particular output. This net result is a .Dq fingerprint of the input-data, which does not disclose the actual input. .Pp The .Fn SHA512_Init , .Fn SHA512_Update , and .Fn SHA512_Final functions are the core functions. Allocate an .Vt SHA512_CTX , initialize it with .Fn SHA512_Init , run over the data with .Fn SHA512_Update , and finally extract the result using -.Fn SHA512_Final . +.Fn SHA512_Final , +which will also erase the +.Vt SHA512_CTX . .Pp .Fn SHA512_End is a wrapper for .Fn SHA512_Final which converts the return value to a 129-character (including the terminating '\e0') .Tn ASCII string which represents the 512 bits in hexadecimal. .Pp .Fn SHA512_File calculates the digest of a file, and uses .Fn SHA512_End to return the result. If the file cannot be opened, a null pointer is returned. .Fn SHA512_FileChunk is similar to .Fn SHA512_File , but it only calculates the digest over a byte-range of the file specified, starting at .Fa offset and spanning .Fa length bytes. If the .Fa length parameter is specified as 0, or more than the length of the remaining part of the file, .Fn SHA512_FileChunk calculates the digest from .Fa offset to the end of file. .Fn SHA512_Data calculates the digest of a chunk of data in memory, and uses .Fn SHA512_End to return the result. .Pp When using .Fn SHA512_End , .Fn SHA512_File , or .Fn SHA512_Data , the .Fa buf argument can be a null pointer, in which case the returned string is allocated with .Xr malloc 3 and subsequently must be explicitly deallocated using .Xr free 3 after use. If the .Fa buf argument is non-null it must point to at least 129 characters of buffer space. .Pp The .Li SHA384_ and .Li SHA512_256_ functions are identical to the .Li SHA512_ functions except they use a different initial hash value and the output is truncated to 384 bits and 256 bits respectively. .Pp .Fn SHA384_End is a wrapper for .Fn SHA384_Final which converts the return value to a 97-character (including the terminating '\e0') .Tn ASCII string which represents the 384 bits in hexadecimal. .Pp .Fn SHA512_256_End is a wrapper for .Fn SHA512_Final which converts the return value to a 65-character (including the terminating '\e0') .Tn ASCII string which represents the 256 bits in hexadecimal. .Sh SEE ALSO .Xr md4 3 , .Xr md5 3 , .Xr ripemd 3 , .Xr sha 3 , .Xr sha256 3 , .Xr sha512 3 , .Xr skein 3 .Sh HISTORY These functions appeared in .Fx 9.0 . .Sh AUTHORS The core hash routines were implemented by Colin Percival based on the published .Tn FIPS 180-2 standard. .Sh BUGS No method is known to exist which finds two files having the same hash value, nor to find a file with a specific hash value. There is on the other hand no guarantee that such a method does not exist. Index: head/lib/libmd/skein.3 =================================================================== --- head/lib/libmd/skein.3 (revision 336538) +++ head/lib/libmd/skein.3 (revision 336539) @@ -1,214 +1,216 @@ .\"- .\" Copyright (c) 2016 Allan Jude .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $FreeBSD$ .\" .Dd May 28, 2016 .Dt SKEIN 3 .Os .Sh NAME .Nm SKEIN256_Init , .Nm SKEIN256_Update , .Nm SKEIN256_Final , .Nm SKEIN256_End , .Nm SKEIN256_File , .Nm SKEIN256_FileChunk , .Nm SKEIN256_Data , .Nm SKEIN512_Init , .Nm SKEIN512_Update , .Nm SKEIN512_Final , .Nm SKEIN512_End , .Nm SKEIN512_File , .Nm SKEIN512_FileChunk , .Nm SKEIN512_Data , .Nm SKEIN1024_Init , .Nm SKEIN1024_Update , .Nm SKEIN1024_Final , .Nm SKEIN1024_End , .Nm SKEIN1024_File , .Nm SKEIN1024_FileChunk , .Nm SKEIN1024_Data .Nd calculate the ``SKEIN'' family of message digests .Sh LIBRARY .Lb libmd .Sh SYNOPSIS .In sys/types.h .In skein.h .Ft void .Fn SKEIN256_Init "SKEIN256_CTX *context" .Ft void .Fn SKEIN256_Update "SKEIN256_CTX *context" "const unsigned char *data" "size_t len" .Ft void .Fn SKEIN256_Final "unsigned char digest[32]" "SKEIN256_CTX *context" .Ft "char *" .Fn SKEIN256_End "SKEIN256_CTX *context" "char *buf" .Ft "char *" .Fn SKEIN256_File "const char *filename" "char *buf" .Ft "char *" .Fn SKEIN256_FileChunk "const char *filename" "char *buf" "off_t offset" "off_t length" .Ft "char *" .Fn SKEIN256_Data "const unsigned char *data" "unsigned int len" "char *buf" .Ft void .Fn SKEIN512_Init "SKEIN512_CTX *context" .Ft void .Fn SKEIN512_Update "SKEIN512_CTX *context" "const unsigned char *data" "size_t len" .Ft void .Fn SKEIN512_Final "unsigned char digest[64]" "SKEIN512_CTX *context" .Ft "char *" .Fn SKEIN512_End "SKEIN512_CTX *context" "char *buf" .Ft "char *" .Fn SKEIN512_File "const char *filename" "char *buf" .Ft "char *" .Fn SKEIN512_FileChunk "const char *filename" "char *buf" "off_t offset" "off_t length" .Ft "char *" .Fn SKEIN512_Data "const unsigned char *data" "unsigned int len" "char *buf" .Ft void .Fn SKEIN1024_Init "SKEIN1024_CTX *context" .Ft void .Fn SKEIN1024_Update "SKEIN1024_CTX *context" "const unsigned char *data" "size_t len" .Ft void .Fn SKEIN1024_Final "unsigned char digest[128]" "SKEIN1024_CTX *context" .Ft "char *" .Fn SKEIN1024_End "SKEIN1024_CTX *context" "char *buf" .Ft "char *" .Fn SKEIN1024_File "const char *filename" "char *buf" .Ft "char *" .Fn SKEIN1024_FileChunk "const char *filename" "char *buf" "off_t offset" "off_t length" .Ft "char *" .Fn SKEIN1024_Data "const unsigned char *data" "unsigned int len" "char *buf" .Sh DESCRIPTION .Li Skein is a new family of cryptographic hash functions based on the .Li Threefish large-block cipher. Its design combines speed, security, simplicity, and a great deal of flexibility in a modular package that is easy to analyze. .Li Skein is defined for three different internal state sizes\(em256 bits, 512 bits, and 1024 bits\(emand any output size. This allows Skein to be a drop-in replacement for the entire SHA family of hash functions. .Pp The .Fn SKEIN256_Init , .Fn SKEIN256_Update , and .Fn SKEIN256_Final functions are the core functions. Allocate an .Vt SKEIN256_CTX , initialize it with .Fn SKEIN256_Init , run over the data with .Fn SKEIN256_Update , and finally extract the result using -.Fn SKEIN256_Final . +.Fn SKEIN256_Final , +which will also erase the +.Vt SKEIN256_CTX . .Pp .Fn SKEIN256_End is a wrapper for .Fn SKEIN256_Final which converts the return value to a 33-character (including the terminating '\e0') .Tn ASCII string which represents the 256 bits in hexadecimal. .Pp .Fn SKEIN256_File calculates the digest of a file, and uses .Fn SKEIN256_End to return the result. If the file cannot be opened, a null pointer is returned. .Fn SKEIN256_FileChunk is similar to .Fn SKEIN256_File , but it only calculates the digest over a byte-range of the file specified, starting at .Fa offset and spanning .Fa length bytes. If the .Fa length parameter is specified as 0, or more than the length of the remaining part of the file, .Fn SKEIN256_FileChunk calculates the digest from .Fa offset to the end of file. .Fn SKEIN256_Data calculates the digest of a chunk of data in memory, and uses .Fn SKEIN256_End to return the result. .Pp When using .Fn SKEIN256_End , .Fn SKEIN256_File , or .Fn SKEIN256_Data , the .Fa buf argument can be a null pointer, in which case the returned string is allocated with .Xr malloc 3 and subsequently must be explicitly deallocated using .Xr free 3 after use. If the .Fa buf argument is non-null it must point to at least 33 characters of buffer space. .Pp The .Li SKEIN512_ and .Li SKEIN1024_ functions are similar to the .Li SKEIN256_ functions except they produce a 512-bit, 65 character, or 1024-bit, 129 character, output. .Sh SEE ALSO .Xr md4 3 , .Xr md5 3 , .Xr ripemd 3 , .Xr sha 3 , .Xr sha256 3 , .Xr sha512 3 .Sh HISTORY These functions appeared in .Fx 11.0 . .Sh AUTHORS .An -nosplit The core hash routines were imported from version 1.3 of the optimized Skein reference implementation written by .An Doug Whiting as submitted to the NSA SHA-3 contest. The algorithms were developed by .An Niels Ferguson , .An Stefan Lucks , .An Bruce Schneier , .An Doug Whiting , .An Mihir Bellare , .An Tadayoshi Kohno , .An Jon Callas, and .An Jesse Walker . Index: head/sys/crypto/sha2/sha256c.c =================================================================== --- head/sys/crypto/sha2/sha256c.c (revision 336538) +++ head/sys/crypto/sha2/sha256c.c (revision 336539) @@ -1,374 +1,374 @@ /*- * Copyright 2005 Colin Percival * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include __FBSDID("$FreeBSD$"); #include #include #ifdef _KERNEL #include #else #include #endif #include "sha224.h" #include "sha256.h" #if BYTE_ORDER == BIG_ENDIAN /* Copy a vector of big-endian uint32_t into a vector of bytes */ #define be32enc_vect(dst, src, len) \ memcpy((void *)dst, (const void *)src, (size_t)len) /* Copy a vector of bytes into a vector of big-endian uint32_t */ #define be32dec_vect(dst, src, len) \ memcpy((void *)dst, (const void *)src, (size_t)len) #else /* BYTE_ORDER != BIG_ENDIAN */ /* * Encode a length len/4 vector of (uint32_t) into a length len vector of * (unsigned char) in big-endian form. Assumes len is a multiple of 4. */ static void be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len) { size_t i; for (i = 0; i < len / 4; i++) be32enc(dst + i * 4, src[i]); } /* * Decode a big-endian length len vector of (unsigned char) into a length * len/4 vector of (uint32_t). Assumes len is a multiple of 4. */ static void be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len) { size_t i; for (i = 0; i < len / 4; i++) dst[i] = be32dec(src + i * 4); } #endif /* BYTE_ORDER != BIG_ENDIAN */ /* SHA256 round constants. */ static const uint32_t K[64] = { 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 }; /* Elementary functions used by SHA256 */ #define Ch(x, y, z) ((x & (y ^ z)) ^ z) #define Maj(x, y, z) ((x & (y | z)) | (y & z)) #define SHR(x, n) (x >> n) #define ROTR(x, n) ((x >> n) | (x << (32 - n))) #define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) #define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) #define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) #define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) /* SHA256 round function */ #define RND(a, b, c, d, e, f, g, h, k) \ h += S1(e) + Ch(e, f, g) + k; \ d += h; \ h += S0(a) + Maj(a, b, c); /* Adjusted round function for rotating state */ #define RNDr(S, W, i, ii) \ RND(S[(64 - i) % 8], S[(65 - i) % 8], \ S[(66 - i) % 8], S[(67 - i) % 8], \ S[(68 - i) % 8], S[(69 - i) % 8], \ S[(70 - i) % 8], S[(71 - i) % 8], \ W[i + ii] + K[i + ii]) /* Message schedule computation */ #define MSCH(W, ii, i) \ W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii] /* * SHA256 block compression function. The 256-bit state is transformed via * the 512-bit input block to produce a new state. */ static void SHA256_Transform(uint32_t * state, const unsigned char block[64]) { uint32_t W[64]; uint32_t S[8]; int i; /* 1. Prepare the first part of the message schedule W. */ be32dec_vect(W, block, 64); /* 2. Initialize working variables. */ memcpy(S, state, 32); /* 3. Mix. */ for (i = 0; i < 64; i += 16) { RNDr(S, W, 0, i); RNDr(S, W, 1, i); RNDr(S, W, 2, i); RNDr(S, W, 3, i); RNDr(S, W, 4, i); RNDr(S, W, 5, i); RNDr(S, W, 6, i); RNDr(S, W, 7, i); RNDr(S, W, 8, i); RNDr(S, W, 9, i); RNDr(S, W, 10, i); RNDr(S, W, 11, i); RNDr(S, W, 12, i); RNDr(S, W, 13, i); RNDr(S, W, 14, i); RNDr(S, W, 15, i); if (i == 48) break; MSCH(W, 0, i); MSCH(W, 1, i); MSCH(W, 2, i); MSCH(W, 3, i); MSCH(W, 4, i); MSCH(W, 5, i); MSCH(W, 6, i); MSCH(W, 7, i); MSCH(W, 8, i); MSCH(W, 9, i); MSCH(W, 10, i); MSCH(W, 11, i); MSCH(W, 12, i); MSCH(W, 13, i); MSCH(W, 14, i); MSCH(W, 15, i); } /* 4. Mix local working variables into global state */ for (i = 0; i < 8; i++) state[i] += S[i]; } static unsigned char PAD[64] = { 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; /* Add padding and terminating bit-count. */ static void SHA256_Pad(SHA256_CTX * ctx) { size_t r; /* Figure out how many bytes we have buffered. */ r = (ctx->count >> 3) & 0x3f; /* Pad to 56 mod 64, transforming if we finish a block en route. */ if (r < 56) { /* Pad to 56 mod 64. */ memcpy(&ctx->buf[r], PAD, 56 - r); } else { /* Finish the current block and mix. */ memcpy(&ctx->buf[r], PAD, 64 - r); SHA256_Transform(ctx->state, ctx->buf); /* The start of the final block is all zeroes. */ memset(&ctx->buf[0], 0, 56); } /* Add the terminating bit-count. */ be64enc(&ctx->buf[56], ctx->count); /* Mix in the final block. */ SHA256_Transform(ctx->state, ctx->buf); } /* SHA-256 initialization. Begins a SHA-256 operation. */ void SHA256_Init(SHA256_CTX * ctx) { /* Zero bits processed so far */ ctx->count = 0; /* Magic initialization constants */ ctx->state[0] = 0x6A09E667; ctx->state[1] = 0xBB67AE85; ctx->state[2] = 0x3C6EF372; ctx->state[3] = 0xA54FF53A; ctx->state[4] = 0x510E527F; ctx->state[5] = 0x9B05688C; ctx->state[6] = 0x1F83D9AB; ctx->state[7] = 0x5BE0CD19; } /* Add bytes into the hash */ void SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len) { uint64_t bitlen; uint32_t r; const unsigned char *src = in; /* Number of bytes left in the buffer from previous updates */ r = (ctx->count >> 3) & 0x3f; /* Convert the length into a number of bits */ bitlen = len << 3; /* Update number of bits */ ctx->count += bitlen; /* Handle the case where we don't need to perform any transforms */ if (len < 64 - r) { memcpy(&ctx->buf[r], src, len); return; } /* Finish the current block */ memcpy(&ctx->buf[r], src, 64 - r); SHA256_Transform(ctx->state, ctx->buf); src += 64 - r; len -= 64 - r; /* Perform complete blocks */ while (len >= 64) { SHA256_Transform(ctx->state, src); src += 64; len -= 64; } /* Copy left over data into buffer */ memcpy(ctx->buf, src, len); } /* * SHA-256 finalization. Pads the input data, exports the hash value, * and clears the context state. */ void SHA256_Final(unsigned char digest[static SHA256_DIGEST_LENGTH], SHA256_CTX *ctx) { /* Add padding */ SHA256_Pad(ctx); /* Write the hash */ be32enc_vect(digest, ctx->state, SHA256_DIGEST_LENGTH); /* Clear the context state */ - memset(ctx, 0, sizeof(*ctx)); + explicit_bzero(ctx, sizeof(*ctx)); } /*** SHA-224: *********************************************************/ /* * the SHA224 and SHA256 transforms are identical */ /* SHA-224 initialization. Begins a SHA-224 operation. */ void SHA224_Init(SHA224_CTX * ctx) { /* Zero bits processed so far */ ctx->count = 0; /* Magic initialization constants */ ctx->state[0] = 0xC1059ED8; ctx->state[1] = 0x367CD507; ctx->state[2] = 0x3070DD17; ctx->state[3] = 0xF70E5939; ctx->state[4] = 0xFFC00B31; ctx->state[5] = 0x68581511; ctx->state[6] = 0x64f98FA7; ctx->state[7] = 0xBEFA4FA4; } /* Add bytes into the SHA-224 hash */ void SHA224_Update(SHA224_CTX * ctx, const void *in, size_t len) { SHA256_Update((SHA256_CTX *)ctx, in, len); } /* * SHA-224 finalization. Pads the input data, exports the hash value, * and clears the context state. */ void SHA224_Final(unsigned char digest[static SHA224_DIGEST_LENGTH], SHA224_CTX *ctx) { /* Add padding */ SHA256_Pad((SHA256_CTX *)ctx); /* Write the hash */ be32enc_vect(digest, ctx->state, SHA224_DIGEST_LENGTH); /* Clear the context state */ explicit_bzero(ctx, sizeof(*ctx)); } #ifdef WEAK_REFS /* When building libmd, provide weak references. Note: this is not activated in the context of compiling these sources for internal use in libcrypt. */ #undef SHA256_Init __weak_reference(_libmd_SHA256_Init, SHA256_Init); #undef SHA256_Update __weak_reference(_libmd_SHA256_Update, SHA256_Update); #undef SHA256_Final __weak_reference(_libmd_SHA256_Final, SHA256_Final); #undef SHA256_Transform __weak_reference(_libmd_SHA256_Transform, SHA256_Transform); #undef SHA224_Init __weak_reference(_libmd_SHA224_Init, SHA224_Init); #undef SHA224_Update __weak_reference(_libmd_SHA224_Update, SHA224_Update); #undef SHA224_Final __weak_reference(_libmd_SHA224_Final, SHA224_Final); #endif Index: head/sys/crypto/sha2/sha512c.c =================================================================== --- head/sys/crypto/sha2/sha512c.c (revision 336538) +++ head/sys/crypto/sha2/sha512c.c (revision 336539) @@ -1,503 +1,503 @@ /*- * Copyright 2005 Colin Percival * Copyright (c) 2015 Allan Jude * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include __FBSDID("$FreeBSD$"); #include #include #ifdef _KERNEL #include #else #include #endif #include "sha512.h" #include "sha512t.h" #include "sha384.h" #if BYTE_ORDER == BIG_ENDIAN /* Copy a vector of big-endian uint64_t into a vector of bytes */ #define be64enc_vect(dst, src, len) \ memcpy((void *)dst, (const void *)src, (size_t)len) /* Copy a vector of bytes into a vector of big-endian uint64_t */ #define be64dec_vect(dst, src, len) \ memcpy((void *)dst, (const void *)src, (size_t)len) #else /* BYTE_ORDER != BIG_ENDIAN */ /* * Encode a length len/4 vector of (uint64_t) into a length len vector of * (unsigned char) in big-endian form. Assumes len is a multiple of 8. */ static void be64enc_vect(unsigned char *dst, const uint64_t *src, size_t len) { size_t i; for (i = 0; i < len / 8; i++) be64enc(dst + i * 8, src[i]); } /* * Decode a big-endian length len vector of (unsigned char) into a length * len/4 vector of (uint64_t). Assumes len is a multiple of 8. */ static void be64dec_vect(uint64_t *dst, const unsigned char *src, size_t len) { size_t i; for (i = 0; i < len / 8; i++) dst[i] = be64dec(src + i * 8); } #endif /* BYTE_ORDER != BIG_ENDIAN */ /* SHA512 round constants. */ static const uint64_t K[80] = { 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL }; /* Elementary functions used by SHA512 */ #define Ch(x, y, z) ((x & (y ^ z)) ^ z) #define Maj(x, y, z) ((x & (y | z)) | (y & z)) #define SHR(x, n) (x >> n) #define ROTR(x, n) ((x >> n) | (x << (64 - n))) #define S0(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39)) #define S1(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41)) #define s0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7)) #define s1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6)) /* SHA512 round function */ #define RND(a, b, c, d, e, f, g, h, k) \ h += S1(e) + Ch(e, f, g) + k; \ d += h; \ h += S0(a) + Maj(a, b, c); /* Adjusted round function for rotating state */ #define RNDr(S, W, i, ii) \ RND(S[(80 - i) % 8], S[(81 - i) % 8], \ S[(82 - i) % 8], S[(83 - i) % 8], \ S[(84 - i) % 8], S[(85 - i) % 8], \ S[(86 - i) % 8], S[(87 - i) % 8], \ W[i + ii] + K[i + ii]) /* Message schedule computation */ #define MSCH(W, ii, i) \ W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii] /* * SHA512 block compression function. The 512-bit state is transformed via * the 512-bit input block to produce a new state. */ static void SHA512_Transform(uint64_t * state, const unsigned char block[SHA512_BLOCK_LENGTH]) { uint64_t W[80]; uint64_t S[8]; int i; /* 1. Prepare the first part of the message schedule W. */ be64dec_vect(W, block, SHA512_BLOCK_LENGTH); /* 2. Initialize working variables. */ memcpy(S, state, SHA512_DIGEST_LENGTH); /* 3. Mix. */ for (i = 0; i < 80; i += 16) { RNDr(S, W, 0, i); RNDr(S, W, 1, i); RNDr(S, W, 2, i); RNDr(S, W, 3, i); RNDr(S, W, 4, i); RNDr(S, W, 5, i); RNDr(S, W, 6, i); RNDr(S, W, 7, i); RNDr(S, W, 8, i); RNDr(S, W, 9, i); RNDr(S, W, 10, i); RNDr(S, W, 11, i); RNDr(S, W, 12, i); RNDr(S, W, 13, i); RNDr(S, W, 14, i); RNDr(S, W, 15, i); if (i == 64) break; MSCH(W, 0, i); MSCH(W, 1, i); MSCH(W, 2, i); MSCH(W, 3, i); MSCH(W, 4, i); MSCH(W, 5, i); MSCH(W, 6, i); MSCH(W, 7, i); MSCH(W, 8, i); MSCH(W, 9, i); MSCH(W, 10, i); MSCH(W, 11, i); MSCH(W, 12, i); MSCH(W, 13, i); MSCH(W, 14, i); MSCH(W, 15, i); } /* 4. Mix local working variables into global state */ for (i = 0; i < 8; i++) state[i] += S[i]; } static unsigned char PAD[SHA512_BLOCK_LENGTH] = { 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; /* Add padding and terminating bit-count. */ static void SHA512_Pad(SHA512_CTX * ctx) { size_t r; /* Figure out how many bytes we have buffered. */ r = (ctx->count[1] >> 3) & 0x7f; /* Pad to 112 mod 128, transforming if we finish a block en route. */ if (r < 112) { /* Pad to 112 mod 128. */ memcpy(&ctx->buf[r], PAD, 112 - r); } else { /* Finish the current block and mix. */ memcpy(&ctx->buf[r], PAD, 128 - r); SHA512_Transform(ctx->state, ctx->buf); /* The start of the final block is all zeroes. */ memset(&ctx->buf[0], 0, 112); } /* Add the terminating bit-count. */ be64enc_vect(&ctx->buf[112], ctx->count, 16); /* Mix in the final block. */ SHA512_Transform(ctx->state, ctx->buf); } /* SHA-512 initialization. Begins a SHA-512 operation. */ void SHA512_Init(SHA512_CTX * ctx) { /* Zero bits processed so far */ ctx->count[0] = ctx->count[1] = 0; /* Magic initialization constants */ ctx->state[0] = 0x6a09e667f3bcc908ULL; ctx->state[1] = 0xbb67ae8584caa73bULL; ctx->state[2] = 0x3c6ef372fe94f82bULL; ctx->state[3] = 0xa54ff53a5f1d36f1ULL; ctx->state[4] = 0x510e527fade682d1ULL; ctx->state[5] = 0x9b05688c2b3e6c1fULL; ctx->state[6] = 0x1f83d9abfb41bd6bULL; ctx->state[7] = 0x5be0cd19137e2179ULL; } /* Add bytes into the hash */ void SHA512_Update(SHA512_CTX * ctx, const void *in, size_t len) { uint64_t bitlen[2]; uint64_t r; const unsigned char *src = in; /* Number of bytes left in the buffer from previous updates */ r = (ctx->count[1] >> 3) & 0x7f; /* Convert the length into a number of bits */ bitlen[1] = ((uint64_t)len) << 3; bitlen[0] = ((uint64_t)len) >> 61; /* Update number of bits */ if ((ctx->count[1] += bitlen[1]) < bitlen[1]) ctx->count[0]++; ctx->count[0] += bitlen[0]; /* Handle the case where we don't need to perform any transforms */ if (len < SHA512_BLOCK_LENGTH - r) { memcpy(&ctx->buf[r], src, len); return; } /* Finish the current block */ memcpy(&ctx->buf[r], src, SHA512_BLOCK_LENGTH - r); SHA512_Transform(ctx->state, ctx->buf); src += SHA512_BLOCK_LENGTH - r; len -= SHA512_BLOCK_LENGTH - r; /* Perform complete blocks */ while (len >= SHA512_BLOCK_LENGTH) { SHA512_Transform(ctx->state, src); src += SHA512_BLOCK_LENGTH; len -= SHA512_BLOCK_LENGTH; } /* Copy left over data into buffer */ memcpy(ctx->buf, src, len); } /* * SHA-512 finalization. Pads the input data, exports the hash value, * and clears the context state. */ void SHA512_Final(unsigned char digest[static SHA512_DIGEST_LENGTH], SHA512_CTX *ctx) { /* Add padding */ SHA512_Pad(ctx); /* Write the hash */ be64enc_vect(digest, ctx->state, SHA512_DIGEST_LENGTH); /* Clear the context state */ - memset(ctx, 0, sizeof(*ctx)); + explicit_bzero(ctx, sizeof(*ctx)); } /*** SHA-512t: *********************************************************/ /* * the SHA512t transforms are identical to SHA512 so reuse the existing function */ void SHA512_224_Init(SHA512_CTX * ctx) { /* Zero bits processed so far */ ctx->count[0] = ctx->count[1] = 0; /* Magic initialization constants */ ctx->state[0] = 0x8c3d37c819544da2ULL; ctx->state[1] = 0x73e1996689dcd4d6ULL; ctx->state[2] = 0x1dfab7ae32ff9c82ULL; ctx->state[3] = 0x679dd514582f9fcfULL; ctx->state[4] = 0x0f6d2b697bd44da8ULL; ctx->state[5] = 0x77e36f7304c48942ULL; ctx->state[6] = 0x3f9d85a86a1d36c8ULL; ctx->state[7] = 0x1112e6ad91d692a1ULL; } void SHA512_224_Update(SHA512_CTX * ctx, const void *in, size_t len) { SHA512_Update(ctx, in, len); } void SHA512_224_Final(unsigned char digest[static SHA512_224_DIGEST_LENGTH], SHA512_CTX * ctx) { /* Add padding */ SHA512_Pad(ctx); /* Write the hash */ be64enc_vect(digest, ctx->state, SHA512_224_DIGEST_LENGTH); /* Clear the context state */ - memset(ctx, 0, sizeof(*ctx)); + explicit_bzero(ctx, sizeof(*ctx)); } void SHA512_256_Init(SHA512_CTX * ctx) { /* Zero bits processed so far */ ctx->count[0] = ctx->count[1] = 0; /* Magic initialization constants */ ctx->state[0] = 0x22312194fc2bf72cULL; ctx->state[1] = 0x9f555fa3c84c64c2ULL; ctx->state[2] = 0x2393b86b6f53b151ULL; ctx->state[3] = 0x963877195940eabdULL; ctx->state[4] = 0x96283ee2a88effe3ULL; ctx->state[5] = 0xbe5e1e2553863992ULL; ctx->state[6] = 0x2b0199fc2c85b8aaULL; ctx->state[7] = 0x0eb72ddc81c52ca2ULL; } void SHA512_256_Update(SHA512_CTX * ctx, const void *in, size_t len) { SHA512_Update(ctx, in, len); } void SHA512_256_Final(unsigned char digest[static SHA512_256_DIGEST_LENGTH], SHA512_CTX * ctx) { /* Add padding */ SHA512_Pad(ctx); /* Write the hash */ be64enc_vect(digest, ctx->state, SHA512_256_DIGEST_LENGTH); /* Clear the context state */ - memset(ctx, 0, sizeof(*ctx)); + explicit_bzero(ctx, sizeof(*ctx)); } /*** SHA-384: *********************************************************/ /* * the SHA384 and SHA512 transforms are identical, so SHA384 is skipped */ /* SHA-384 initialization. Begins a SHA-384 operation. */ void SHA384_Init(SHA384_CTX * ctx) { /* Zero bits processed so far */ ctx->count[0] = ctx->count[1] = 0; /* Magic initialization constants */ ctx->state[0] = 0xcbbb9d5dc1059ed8ULL; ctx->state[1] = 0x629a292a367cd507ULL; ctx->state[2] = 0x9159015a3070dd17ULL; ctx->state[3] = 0x152fecd8f70e5939ULL; ctx->state[4] = 0x67332667ffc00b31ULL; ctx->state[5] = 0x8eb44a8768581511ULL; ctx->state[6] = 0xdb0c2e0d64f98fa7ULL; ctx->state[7] = 0x47b5481dbefa4fa4ULL; } /* Add bytes into the SHA-384 hash */ void SHA384_Update(SHA384_CTX * ctx, const void *in, size_t len) { SHA512_Update((SHA512_CTX *)ctx, in, len); } /* * SHA-384 finalization. Pads the input data, exports the hash value, * and clears the context state. */ void SHA384_Final(unsigned char digest[static SHA384_DIGEST_LENGTH], SHA384_CTX *ctx) { /* Add padding */ SHA512_Pad((SHA512_CTX *)ctx); /* Write the hash */ be64enc_vect(digest, ctx->state, SHA384_DIGEST_LENGTH); /* Clear the context state */ - memset(ctx, 0, sizeof(*ctx)); + explicit_bzero(ctx, sizeof(*ctx)); } #ifdef WEAK_REFS /* When building libmd, provide weak references. Note: this is not activated in the context of compiling these sources for internal use in libcrypt. */ #undef SHA512_Init __weak_reference(_libmd_SHA512_Init, SHA512_Init); #undef SHA512_Update __weak_reference(_libmd_SHA512_Update, SHA512_Update); #undef SHA512_Final __weak_reference(_libmd_SHA512_Final, SHA512_Final); #undef SHA512_Transform __weak_reference(_libmd_SHA512_Transform, SHA512_Transform); #undef SHA512_224_Init __weak_reference(_libmd_SHA512_224_Init, SHA512_224_Init); #undef SHA512_224_Update __weak_reference(_libmd_SHA512_224_Update, SHA512_224_Update); #undef SHA512_224_Final __weak_reference(_libmd_SHA512_224_Final, SHA512_224_Final); #undef SHA512_256_Init __weak_reference(_libmd_SHA512_256_Init, SHA512_256_Init); #undef SHA512_256_Update __weak_reference(_libmd_SHA512_256_Update, SHA512_256_Update); #undef SHA512_256_Final __weak_reference(_libmd_SHA512_256_Final, SHA512_256_Final); #undef SHA384_Init __weak_reference(_libmd_SHA384_Init, SHA384_Init); #undef SHA384_Update __weak_reference(_libmd_SHA384_Update, SHA384_Update); #undef SHA384_Final __weak_reference(_libmd_SHA384_Final, SHA384_Final); #endif Index: head/sys/crypto/skein/skein.c =================================================================== --- head/sys/crypto/skein/skein.c (revision 336538) +++ head/sys/crypto/skein/skein.c (revision 336539) @@ -1,858 +1,861 @@ /*********************************************************************** ** ** Implementation of the Skein hash function. ** ** Source code author: Doug Whiting, 2008. ** ** This algorithm and source code is released to the public domain. ** ************************************************************************/ #include __FBSDID("$FreeBSD$"); #include #include /* get the memcpy/memset functions */ #ifdef _KERNEL #include #else #include #endif #define SKEIN_PORT_CODE /* instantiate any code in skein_port.h */ #include "skein.h" /* get the Skein API definitions */ #include "skein_iv.h" /* get precomputed IVs */ /*****************************************************************/ /* External function to process blkCnt (nonzero) full block(s) of data. */ void Skein_256_Process_Block(Skein_256_Ctxt_t *ctx,const u08b_t *blkPtr,size_t blkCnt,size_t byteCntAdd); void Skein_512_Process_Block(Skein_512_Ctxt_t *ctx,const u08b_t *blkPtr,size_t blkCnt,size_t byteCntAdd); void Skein1024_Process_Block(Skein1024_Ctxt_t *ctx,const u08b_t *blkPtr,size_t blkCnt,size_t byteCntAdd); /*****************************************************************/ /* 256-bit Skein */ /*****************************************************************/ /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ /* init the context for a straight hashing operation */ int Skein_256_Init(Skein_256_Ctxt_t *ctx, size_t hashBitLen) { union { u08b_t b[SKEIN_256_STATE_BYTES]; u64b_t w[SKEIN_256_STATE_WORDS]; } cfg; /* config block */ Skein_Assert(hashBitLen > 0,SKEIN_BAD_HASHLEN); ctx->h.hashBitLen = hashBitLen; /* output hash bit count */ switch (hashBitLen) { /* use pre-computed values, where available */ #ifndef SKEIN_NO_PRECOMP case 256: memcpy(ctx->X,SKEIN_256_IV_256,sizeof(ctx->X)); break; case 224: memcpy(ctx->X,SKEIN_256_IV_224,sizeof(ctx->X)); break; case 160: memcpy(ctx->X,SKEIN_256_IV_160,sizeof(ctx->X)); break; case 128: memcpy(ctx->X,SKEIN_256_IV_128,sizeof(ctx->X)); break; #endif default: /* here if there is no precomputed IV value available */ /* build/process the config block, type == CONFIG (could be precomputed) */ Skein_Start_New_Type(ctx,CFG_FINAL); /* set tweaks: T0=0; T1=CFG | FINAL */ cfg.w[0] = Skein_Swap64(SKEIN_SCHEMA_VER); /* set the schema, version */ cfg.w[1] = Skein_Swap64(hashBitLen); /* hash result length in bits */ cfg.w[2] = Skein_Swap64(SKEIN_CFG_TREE_INFO_SEQUENTIAL); memset(&cfg.w[3],0,sizeof(cfg) - 3*sizeof(cfg.w[0])); /* zero pad config block */ /* compute the initial chaining values from config block */ memset(ctx->X,0,sizeof(ctx->X)); /* zero the chaining variables */ Skein_256_Process_Block(ctx,cfg.b,1,SKEIN_CFG_STR_LEN); break; } /* The chaining vars ctx->X are now initialized for the given hashBitLen. */ /* Set up to process the data message portion of the hash (default) */ Skein_Start_New_Type(ctx,MSG); /* T0=0, T1= MSG type */ return SKEIN_SUCCESS; } /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ /* init the context for a MAC and/or tree hash operation */ /* [identical to Skein_256_Init() when keyBytes == 0 && treeInfo == SKEIN_CFG_TREE_INFO_SEQUENTIAL] */ int Skein_256_InitExt(Skein_256_Ctxt_t *ctx,size_t hashBitLen,u64b_t treeInfo, const u08b_t *key, size_t keyBytes) { union { u08b_t b[SKEIN_256_STATE_BYTES]; u64b_t w[SKEIN_256_STATE_WORDS]; } cfg; /* config block */ Skein_Assert(hashBitLen > 0,SKEIN_BAD_HASHLEN); Skein_Assert(keyBytes == 0 || key != NULL,SKEIN_FAIL); /* compute the initial chaining values ctx->X[], based on key */ if (keyBytes == 0) /* is there a key? */ { memset(ctx->X,0,sizeof(ctx->X)); /* no key: use all zeroes as key for config block */ } else /* here to pre-process a key */ { Skein_assert(sizeof(cfg.b) >= sizeof(ctx->X)); /* do a mini-Init right here */ ctx->h.hashBitLen=8*sizeof(ctx->X); /* set output hash bit count = state size */ Skein_Start_New_Type(ctx,KEY); /* set tweaks: T0 = 0; T1 = KEY type */ memset(ctx->X,0,sizeof(ctx->X)); /* zero the initial chaining variables */ Skein_256_Update(ctx,key,keyBytes); /* hash the key */ Skein_256_Final_Pad(ctx,cfg.b); /* put result into cfg.b[] */ memcpy(ctx->X,cfg.b,sizeof(cfg.b)); /* copy over into ctx->X[] */ #if SKEIN_NEED_SWAP { uint_t i; for (i=0;iX[i] = Skein_Swap64(ctx->X[i]); } #endif } /* build/process the config block, type == CONFIG (could be precomputed for each key) */ ctx->h.hashBitLen = hashBitLen; /* output hash bit count */ Skein_Start_New_Type(ctx,CFG_FINAL); memset(&cfg.w,0,sizeof(cfg.w)); /* pre-pad cfg.w[] with zeroes */ cfg.w[0] = Skein_Swap64(SKEIN_SCHEMA_VER); cfg.w[1] = Skein_Swap64(hashBitLen); /* hash result length in bits */ cfg.w[2] = Skein_Swap64(treeInfo); /* tree hash config info (or SKEIN_CFG_TREE_INFO_SEQUENTIAL) */ Skein_Show_Key(256,&ctx->h,key,keyBytes); /* compute the initial chaining values from config block */ Skein_256_Process_Block(ctx,cfg.b,1,SKEIN_CFG_STR_LEN); /* The chaining vars ctx->X are now initialized */ /* Set up to process the data message portion of the hash (default) */ ctx->h.bCnt = 0; /* buffer b[] starts out empty */ Skein_Start_New_Type(ctx,MSG); return SKEIN_SUCCESS; } /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ /* process the input bytes */ int Skein_256_Update(Skein_256_Ctxt_t *ctx, const u08b_t *msg, size_t msgByteCnt) { size_t n; Skein_Assert(ctx->h.bCnt <= SKEIN_256_BLOCK_BYTES,SKEIN_FAIL); /* catch uninitialized context */ /* process full blocks, if any */ if (msgByteCnt + ctx->h.bCnt > SKEIN_256_BLOCK_BYTES) { if (ctx->h.bCnt) /* finish up any buffered message data */ { n = SKEIN_256_BLOCK_BYTES - ctx->h.bCnt; /* # bytes free in buffer b[] */ if (n) { Skein_assert(n < msgByteCnt); /* check on our logic here */ memcpy(&ctx->b[ctx->h.bCnt],msg,n); msgByteCnt -= n; msg += n; ctx->h.bCnt += n; } Skein_assert(ctx->h.bCnt == SKEIN_256_BLOCK_BYTES); Skein_256_Process_Block(ctx,ctx->b,1,SKEIN_256_BLOCK_BYTES); ctx->h.bCnt = 0; } /* now process any remaining full blocks, directly from input message data */ if (msgByteCnt > SKEIN_256_BLOCK_BYTES) { n = (msgByteCnt-1) / SKEIN_256_BLOCK_BYTES; /* number of full blocks to process */ Skein_256_Process_Block(ctx,msg,n,SKEIN_256_BLOCK_BYTES); msgByteCnt -= n * SKEIN_256_BLOCK_BYTES; msg += n * SKEIN_256_BLOCK_BYTES; } Skein_assert(ctx->h.bCnt == 0); } /* copy any remaining source message data bytes into b[] */ if (msgByteCnt) { Skein_assert(msgByteCnt + ctx->h.bCnt <= SKEIN_256_BLOCK_BYTES); memcpy(&ctx->b[ctx->h.bCnt],msg,msgByteCnt); ctx->h.bCnt += msgByteCnt; } return SKEIN_SUCCESS; } /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ /* finalize the hash computation and output the result */ int Skein_256_Final(Skein_256_Ctxt_t *ctx, u08b_t *hashVal) { size_t i,n,byteCnt; u64b_t X[SKEIN_256_STATE_WORDS]; Skein_Assert(ctx->h.bCnt <= SKEIN_256_BLOCK_BYTES,SKEIN_FAIL); /* catch uninitialized context */ ctx->h.T[1] |= SKEIN_T1_FLAG_FINAL; /* tag as the final block */ if (ctx->h.bCnt < SKEIN_256_BLOCK_BYTES) /* zero pad b[] if necessary */ memset(&ctx->b[ctx->h.bCnt],0,SKEIN_256_BLOCK_BYTES - ctx->h.bCnt); Skein_256_Process_Block(ctx,ctx->b,1,ctx->h.bCnt); /* process the final block */ /* now output the result */ byteCnt = (ctx->h.hashBitLen + 7) >> 3; /* total number of output bytes */ /* run Threefish in "counter mode" to generate output */ memset(ctx->b,0,sizeof(ctx->b)); /* zero out b[], so it can hold the counter */ memcpy(X,ctx->X,sizeof(X)); /* keep a local copy of counter mode "key" */ for (i=0;i*SKEIN_256_BLOCK_BYTES < byteCnt;i++) { ((u64b_t *)ctx->b)[0]= Skein_Swap64((u64b_t) i); /* build the counter block */ Skein_Start_New_Type(ctx,OUT_FINAL); Skein_256_Process_Block(ctx,ctx->b,1,sizeof(u64b_t)); /* run "counter mode" */ n = byteCnt - i*SKEIN_256_BLOCK_BYTES; /* number of output bytes left to go */ if (n >= SKEIN_256_BLOCK_BYTES) n = SKEIN_256_BLOCK_BYTES; Skein_Put64_LSB_First(hashVal+i*SKEIN_256_BLOCK_BYTES,ctx->X,n); /* "output" the ctr mode bytes */ Skein_Show_Final(256,&ctx->h,n,hashVal+i*SKEIN_256_BLOCK_BYTES); memcpy(ctx->X,X,sizeof(X)); /* restore the counter mode key for next time */ } return SKEIN_SUCCESS; } #if defined(SKEIN_CODE_SIZE) || defined(SKEIN_PERF) size_t Skein_256_API_CodeSize(void) { return ((u08b_t *) Skein_256_API_CodeSize) - ((u08b_t *) Skein_256_Init); } #endif /*****************************************************************/ /* 512-bit Skein */ /*****************************************************************/ /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ /* init the context for a straight hashing operation */ int Skein_512_Init(Skein_512_Ctxt_t *ctx, size_t hashBitLen) { union { u08b_t b[SKEIN_512_STATE_BYTES]; u64b_t w[SKEIN_512_STATE_WORDS]; } cfg; /* config block */ Skein_Assert(hashBitLen > 0,SKEIN_BAD_HASHLEN); ctx->h.hashBitLen = hashBitLen; /* output hash bit count */ switch (hashBitLen) { /* use pre-computed values, where available */ #ifndef SKEIN_NO_PRECOMP case 512: memcpy(ctx->X,SKEIN_512_IV_512,sizeof(ctx->X)); break; case 384: memcpy(ctx->X,SKEIN_512_IV_384,sizeof(ctx->X)); break; case 256: memcpy(ctx->X,SKEIN_512_IV_256,sizeof(ctx->X)); break; case 224: memcpy(ctx->X,SKEIN_512_IV_224,sizeof(ctx->X)); break; #endif default: /* here if there is no precomputed IV value available */ /* build/process the config block, type == CONFIG (could be precomputed) */ Skein_Start_New_Type(ctx,CFG_FINAL); /* set tweaks: T0=0; T1=CFG | FINAL */ cfg.w[0] = Skein_Swap64(SKEIN_SCHEMA_VER); /* set the schema, version */ cfg.w[1] = Skein_Swap64(hashBitLen); /* hash result length in bits */ cfg.w[2] = Skein_Swap64(SKEIN_CFG_TREE_INFO_SEQUENTIAL); memset(&cfg.w[3],0,sizeof(cfg) - 3*sizeof(cfg.w[0])); /* zero pad config block */ /* compute the initial chaining values from config block */ memset(ctx->X,0,sizeof(ctx->X)); /* zero the chaining variables */ Skein_512_Process_Block(ctx,cfg.b,1,SKEIN_CFG_STR_LEN); break; } /* The chaining vars ctx->X are now initialized for the given hashBitLen. */ /* Set up to process the data message portion of the hash (default) */ Skein_Start_New_Type(ctx,MSG); /* T0=0, T1= MSG type */ return SKEIN_SUCCESS; } /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ /* init the context for a MAC and/or tree hash operation */ /* [identical to Skein_512_Init() when keyBytes == 0 && treeInfo == SKEIN_CFG_TREE_INFO_SEQUENTIAL] */ int Skein_512_InitExt(Skein_512_Ctxt_t *ctx,size_t hashBitLen,u64b_t treeInfo, const u08b_t *key, size_t keyBytes) { union { u08b_t b[SKEIN_512_STATE_BYTES]; u64b_t w[SKEIN_512_STATE_WORDS]; } cfg; /* config block */ Skein_Assert(hashBitLen > 0,SKEIN_BAD_HASHLEN); Skein_Assert(keyBytes == 0 || key != NULL,SKEIN_FAIL); /* compute the initial chaining values ctx->X[], based on key */ if (keyBytes == 0) /* is there a key? */ { memset(ctx->X,0,sizeof(ctx->X)); /* no key: use all zeroes as key for config block */ } else /* here to pre-process a key */ { Skein_assert(sizeof(cfg.b) >= sizeof(ctx->X)); /* do a mini-Init right here */ ctx->h.hashBitLen=8*sizeof(ctx->X); /* set output hash bit count = state size */ Skein_Start_New_Type(ctx,KEY); /* set tweaks: T0 = 0; T1 = KEY type */ memset(ctx->X,0,sizeof(ctx->X)); /* zero the initial chaining variables */ Skein_512_Update(ctx,key,keyBytes); /* hash the key */ Skein_512_Final_Pad(ctx,cfg.b); /* put result into cfg.b[] */ memcpy(ctx->X,cfg.b,sizeof(cfg.b)); /* copy over into ctx->X[] */ #if SKEIN_NEED_SWAP { uint_t i; for (i=0;iX[i] = Skein_Swap64(ctx->X[i]); } #endif } /* build/process the config block, type == CONFIG (could be precomputed for each key) */ ctx->h.hashBitLen = hashBitLen; /* output hash bit count */ Skein_Start_New_Type(ctx,CFG_FINAL); memset(&cfg.w,0,sizeof(cfg.w)); /* pre-pad cfg.w[] with zeroes */ cfg.w[0] = Skein_Swap64(SKEIN_SCHEMA_VER); cfg.w[1] = Skein_Swap64(hashBitLen); /* hash result length in bits */ cfg.w[2] = Skein_Swap64(treeInfo); /* tree hash config info (or SKEIN_CFG_TREE_INFO_SEQUENTIAL) */ Skein_Show_Key(512,&ctx->h,key,keyBytes); /* compute the initial chaining values from config block */ Skein_512_Process_Block(ctx,cfg.b,1,SKEIN_CFG_STR_LEN); /* The chaining vars ctx->X are now initialized */ /* Set up to process the data message portion of the hash (default) */ ctx->h.bCnt = 0; /* buffer b[] starts out empty */ Skein_Start_New_Type(ctx,MSG); return SKEIN_SUCCESS; } /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ /* process the input bytes */ int Skein_512_Update(Skein_512_Ctxt_t *ctx, const u08b_t *msg, size_t msgByteCnt) { size_t n; Skein_Assert(ctx->h.bCnt <= SKEIN_512_BLOCK_BYTES,SKEIN_FAIL); /* catch uninitialized context */ /* process full blocks, if any */ if (msgByteCnt + ctx->h.bCnt > SKEIN_512_BLOCK_BYTES) { if (ctx->h.bCnt) /* finish up any buffered message data */ { n = SKEIN_512_BLOCK_BYTES - ctx->h.bCnt; /* # bytes free in buffer b[] */ if (n) { Skein_assert(n < msgByteCnt); /* check on our logic here */ memcpy(&ctx->b[ctx->h.bCnt],msg,n); msgByteCnt -= n; msg += n; ctx->h.bCnt += n; } Skein_assert(ctx->h.bCnt == SKEIN_512_BLOCK_BYTES); Skein_512_Process_Block(ctx,ctx->b,1,SKEIN_512_BLOCK_BYTES); ctx->h.bCnt = 0; } /* now process any remaining full blocks, directly from input message data */ if (msgByteCnt > SKEIN_512_BLOCK_BYTES) { n = (msgByteCnt-1) / SKEIN_512_BLOCK_BYTES; /* number of full blocks to process */ Skein_512_Process_Block(ctx,msg,n,SKEIN_512_BLOCK_BYTES); msgByteCnt -= n * SKEIN_512_BLOCK_BYTES; msg += n * SKEIN_512_BLOCK_BYTES; } Skein_assert(ctx->h.bCnt == 0); } /* copy any remaining source message data bytes into b[] */ if (msgByteCnt) { Skein_assert(msgByteCnt + ctx->h.bCnt <= SKEIN_512_BLOCK_BYTES); memcpy(&ctx->b[ctx->h.bCnt],msg,msgByteCnt); ctx->h.bCnt += msgByteCnt; } return SKEIN_SUCCESS; } /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ /* finalize the hash computation and output the result */ int Skein_512_Final(Skein_512_Ctxt_t *ctx, u08b_t *hashVal) { size_t i,n,byteCnt; u64b_t X[SKEIN_512_STATE_WORDS]; Skein_Assert(ctx->h.bCnt <= SKEIN_512_BLOCK_BYTES,SKEIN_FAIL); /* catch uninitialized context */ ctx->h.T[1] |= SKEIN_T1_FLAG_FINAL; /* tag as the final block */ if (ctx->h.bCnt < SKEIN_512_BLOCK_BYTES) /* zero pad b[] if necessary */ memset(&ctx->b[ctx->h.bCnt],0,SKEIN_512_BLOCK_BYTES - ctx->h.bCnt); Skein_512_Process_Block(ctx,ctx->b,1,ctx->h.bCnt); /* process the final block */ /* now output the result */ byteCnt = (ctx->h.hashBitLen + 7) >> 3; /* total number of output bytes */ /* run Threefish in "counter mode" to generate output */ memset(ctx->b,0,sizeof(ctx->b)); /* zero out b[], so it can hold the counter */ memcpy(X,ctx->X,sizeof(X)); /* keep a local copy of counter mode "key" */ for (i=0;i*SKEIN_512_BLOCK_BYTES < byteCnt;i++) { ((u64b_t *)ctx->b)[0]= Skein_Swap64((u64b_t) i); /* build the counter block */ Skein_Start_New_Type(ctx,OUT_FINAL); Skein_512_Process_Block(ctx,ctx->b,1,sizeof(u64b_t)); /* run "counter mode" */ n = byteCnt - i*SKEIN_512_BLOCK_BYTES; /* number of output bytes left to go */ if (n >= SKEIN_512_BLOCK_BYTES) n = SKEIN_512_BLOCK_BYTES; Skein_Put64_LSB_First(hashVal+i*SKEIN_512_BLOCK_BYTES,ctx->X,n); /* "output" the ctr mode bytes */ Skein_Show_Final(512,&ctx->h,n,hashVal+i*SKEIN_512_BLOCK_BYTES); memcpy(ctx->X,X,sizeof(X)); /* restore the counter mode key for next time */ } return SKEIN_SUCCESS; } #if defined(SKEIN_CODE_SIZE) || defined(SKEIN_PERF) size_t Skein_512_API_CodeSize(void) { return ((u08b_t *) Skein_512_API_CodeSize) - ((u08b_t *) Skein_512_Init); } #endif /*****************************************************************/ /* 1024-bit Skein */ /*****************************************************************/ /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ /* init the context for a straight hashing operation */ int Skein1024_Init(Skein1024_Ctxt_t *ctx, size_t hashBitLen) { union { u08b_t b[SKEIN1024_STATE_BYTES]; u64b_t w[SKEIN1024_STATE_WORDS]; } cfg; /* config block */ Skein_Assert(hashBitLen > 0,SKEIN_BAD_HASHLEN); ctx->h.hashBitLen = hashBitLen; /* output hash bit count */ switch (hashBitLen) { /* use pre-computed values, where available */ #ifndef SKEIN_NO_PRECOMP case 512: memcpy(ctx->X,SKEIN1024_IV_512 ,sizeof(ctx->X)); break; case 384: memcpy(ctx->X,SKEIN1024_IV_384 ,sizeof(ctx->X)); break; case 1024: memcpy(ctx->X,SKEIN1024_IV_1024,sizeof(ctx->X)); break; #endif default: /* here if there is no precomputed IV value available */ /* build/process the config block, type == CONFIG (could be precomputed) */ Skein_Start_New_Type(ctx,CFG_FINAL); /* set tweaks: T0=0; T1=CFG | FINAL */ cfg.w[0] = Skein_Swap64(SKEIN_SCHEMA_VER); /* set the schema, version */ cfg.w[1] = Skein_Swap64(hashBitLen); /* hash result length in bits */ cfg.w[2] = Skein_Swap64(SKEIN_CFG_TREE_INFO_SEQUENTIAL); memset(&cfg.w[3],0,sizeof(cfg) - 3*sizeof(cfg.w[0])); /* zero pad config block */ /* compute the initial chaining values from config block */ memset(ctx->X,0,sizeof(ctx->X)); /* zero the chaining variables */ Skein1024_Process_Block(ctx,cfg.b,1,SKEIN_CFG_STR_LEN); break; } /* The chaining vars ctx->X are now initialized for the given hashBitLen. */ /* Set up to process the data message portion of the hash (default) */ Skein_Start_New_Type(ctx,MSG); /* T0=0, T1= MSG type */ return SKEIN_SUCCESS; } /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ /* init the context for a MAC and/or tree hash operation */ /* [identical to Skein1024_Init() when keyBytes == 0 && treeInfo == SKEIN_CFG_TREE_INFO_SEQUENTIAL] */ int Skein1024_InitExt(Skein1024_Ctxt_t *ctx,size_t hashBitLen,u64b_t treeInfo, const u08b_t *key, size_t keyBytes) { union { u08b_t b[SKEIN1024_STATE_BYTES]; u64b_t w[SKEIN1024_STATE_WORDS]; } cfg; /* config block */ Skein_Assert(hashBitLen > 0,SKEIN_BAD_HASHLEN); Skein_Assert(keyBytes == 0 || key != NULL,SKEIN_FAIL); /* compute the initial chaining values ctx->X[], based on key */ if (keyBytes == 0) /* is there a key? */ { memset(ctx->X,0,sizeof(ctx->X)); /* no key: use all zeroes as key for config block */ } else /* here to pre-process a key */ { Skein_assert(sizeof(cfg.b) >= sizeof(ctx->X)); /* do a mini-Init right here */ ctx->h.hashBitLen=8*sizeof(ctx->X); /* set output hash bit count = state size */ Skein_Start_New_Type(ctx,KEY); /* set tweaks: T0 = 0; T1 = KEY type */ memset(ctx->X,0,sizeof(ctx->X)); /* zero the initial chaining variables */ Skein1024_Update(ctx,key,keyBytes); /* hash the key */ Skein1024_Final_Pad(ctx,cfg.b); /* put result into cfg.b[] */ memcpy(ctx->X,cfg.b,sizeof(cfg.b)); /* copy over into ctx->X[] */ #if SKEIN_NEED_SWAP { uint_t i; for (i=0;iX[i] = Skein_Swap64(ctx->X[i]); } #endif } /* build/process the config block, type == CONFIG (could be precomputed for each key) */ ctx->h.hashBitLen = hashBitLen; /* output hash bit count */ Skein_Start_New_Type(ctx,CFG_FINAL); memset(&cfg.w,0,sizeof(cfg.w)); /* pre-pad cfg.w[] with zeroes */ cfg.w[0] = Skein_Swap64(SKEIN_SCHEMA_VER); cfg.w[1] = Skein_Swap64(hashBitLen); /* hash result length in bits */ cfg.w[2] = Skein_Swap64(treeInfo); /* tree hash config info (or SKEIN_CFG_TREE_INFO_SEQUENTIAL) */ Skein_Show_Key(1024,&ctx->h,key,keyBytes); /* compute the initial chaining values from config block */ Skein1024_Process_Block(ctx,cfg.b,1,SKEIN_CFG_STR_LEN); /* The chaining vars ctx->X are now initialized */ /* Set up to process the data message portion of the hash (default) */ ctx->h.bCnt = 0; /* buffer b[] starts out empty */ Skein_Start_New_Type(ctx,MSG); return SKEIN_SUCCESS; } /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ /* process the input bytes */ int Skein1024_Update(Skein1024_Ctxt_t *ctx, const u08b_t *msg, size_t msgByteCnt) { size_t n; Skein_Assert(ctx->h.bCnt <= SKEIN1024_BLOCK_BYTES,SKEIN_FAIL); /* catch uninitialized context */ /* process full blocks, if any */ if (msgByteCnt + ctx->h.bCnt > SKEIN1024_BLOCK_BYTES) { if (ctx->h.bCnt) /* finish up any buffered message data */ { n = SKEIN1024_BLOCK_BYTES - ctx->h.bCnt; /* # bytes free in buffer b[] */ if (n) { Skein_assert(n < msgByteCnt); /* check on our logic here */ memcpy(&ctx->b[ctx->h.bCnt],msg,n); msgByteCnt -= n; msg += n; ctx->h.bCnt += n; } Skein_assert(ctx->h.bCnt == SKEIN1024_BLOCK_BYTES); Skein1024_Process_Block(ctx,ctx->b,1,SKEIN1024_BLOCK_BYTES); ctx->h.bCnt = 0; } /* now process any remaining full blocks, directly from input message data */ if (msgByteCnt > SKEIN1024_BLOCK_BYTES) { n = (msgByteCnt-1) / SKEIN1024_BLOCK_BYTES; /* number of full blocks to process */ Skein1024_Process_Block(ctx,msg,n,SKEIN1024_BLOCK_BYTES); msgByteCnt -= n * SKEIN1024_BLOCK_BYTES; msg += n * SKEIN1024_BLOCK_BYTES; } Skein_assert(ctx->h.bCnt == 0); } /* copy any remaining source message data bytes into b[] */ if (msgByteCnt) { Skein_assert(msgByteCnt + ctx->h.bCnt <= SKEIN1024_BLOCK_BYTES); memcpy(&ctx->b[ctx->h.bCnt],msg,msgByteCnt); ctx->h.bCnt += msgByteCnt; } return SKEIN_SUCCESS; } /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ /* finalize the hash computation and output the result */ int Skein1024_Final(Skein1024_Ctxt_t *ctx, u08b_t *hashVal) { size_t i,n,byteCnt; u64b_t X[SKEIN1024_STATE_WORDS]; Skein_Assert(ctx->h.bCnt <= SKEIN1024_BLOCK_BYTES,SKEIN_FAIL); /* catch uninitialized context */ ctx->h.T[1] |= SKEIN_T1_FLAG_FINAL; /* tag as the final block */ if (ctx->h.bCnt < SKEIN1024_BLOCK_BYTES) /* zero pad b[] if necessary */ memset(&ctx->b[ctx->h.bCnt],0,SKEIN1024_BLOCK_BYTES - ctx->h.bCnt); Skein1024_Process_Block(ctx,ctx->b,1,ctx->h.bCnt); /* process the final block */ /* now output the result */ byteCnt = (ctx->h.hashBitLen + 7) >> 3; /* total number of output bytes */ /* run Threefish in "counter mode" to generate output */ memset(ctx->b,0,sizeof(ctx->b)); /* zero out b[], so it can hold the counter */ memcpy(X,ctx->X,sizeof(X)); /* keep a local copy of counter mode "key" */ for (i=0;i*SKEIN1024_BLOCK_BYTES < byteCnt;i++) { ((u64b_t *)ctx->b)[0]= Skein_Swap64((u64b_t) i); /* build the counter block */ Skein_Start_New_Type(ctx,OUT_FINAL); Skein1024_Process_Block(ctx,ctx->b,1,sizeof(u64b_t)); /* run "counter mode" */ n = byteCnt - i*SKEIN1024_BLOCK_BYTES; /* number of output bytes left to go */ if (n >= SKEIN1024_BLOCK_BYTES) n = SKEIN1024_BLOCK_BYTES; Skein_Put64_LSB_First(hashVal+i*SKEIN1024_BLOCK_BYTES,ctx->X,n); /* "output" the ctr mode bytes */ Skein_Show_Final(1024,&ctx->h,n,hashVal+i*SKEIN1024_BLOCK_BYTES); memcpy(ctx->X,X,sizeof(X)); /* restore the counter mode key for next time */ } return SKEIN_SUCCESS; } #if defined(SKEIN_CODE_SIZE) || defined(SKEIN_PERF) size_t Skein1024_API_CodeSize(void) { return ((u08b_t *) Skein1024_API_CodeSize) - ((u08b_t *) Skein1024_Init); } #endif /**************** Functions to support MAC/tree hashing ***************/ /* (this code is identical for Optimized and Reference versions) */ /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ /* finalize the hash computation and output the block, no OUTPUT stage */ int Skein_256_Final_Pad(Skein_256_Ctxt_t *ctx, u08b_t *hashVal) { Skein_Assert(ctx->h.bCnt <= SKEIN_256_BLOCK_BYTES,SKEIN_FAIL); /* catch uninitialized context */ ctx->h.T[1] |= SKEIN_T1_FLAG_FINAL; /* tag as the final block */ if (ctx->h.bCnt < SKEIN_256_BLOCK_BYTES) /* zero pad b[] if necessary */ memset(&ctx->b[ctx->h.bCnt],0,SKEIN_256_BLOCK_BYTES - ctx->h.bCnt); Skein_256_Process_Block(ctx,ctx->b,1,ctx->h.bCnt); /* process the final block */ Skein_Put64_LSB_First(hashVal,ctx->X,SKEIN_256_BLOCK_BYTES); /* "output" the state bytes */ return SKEIN_SUCCESS; } /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ /* finalize the hash computation and output the block, no OUTPUT stage */ int Skein_512_Final_Pad(Skein_512_Ctxt_t *ctx, u08b_t *hashVal) { Skein_Assert(ctx->h.bCnt <= SKEIN_512_BLOCK_BYTES,SKEIN_FAIL); /* catch uninitialized context */ ctx->h.T[1] |= SKEIN_T1_FLAG_FINAL; /* tag as the final block */ if (ctx->h.bCnt < SKEIN_512_BLOCK_BYTES) /* zero pad b[] if necessary */ memset(&ctx->b[ctx->h.bCnt],0,SKEIN_512_BLOCK_BYTES - ctx->h.bCnt); Skein_512_Process_Block(ctx,ctx->b,1,ctx->h.bCnt); /* process the final block */ Skein_Put64_LSB_First(hashVal,ctx->X,SKEIN_512_BLOCK_BYTES); /* "output" the state bytes */ return SKEIN_SUCCESS; } /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ /* finalize the hash computation and output the block, no OUTPUT stage */ int Skein1024_Final_Pad(Skein1024_Ctxt_t *ctx, u08b_t *hashVal) { Skein_Assert(ctx->h.bCnt <= SKEIN1024_BLOCK_BYTES,SKEIN_FAIL); /* catch uninitialized context */ ctx->h.T[1] |= SKEIN_T1_FLAG_FINAL; /* tag as the final block */ if (ctx->h.bCnt < SKEIN1024_BLOCK_BYTES) /* zero pad b[] if necessary */ memset(&ctx->b[ctx->h.bCnt],0,SKEIN1024_BLOCK_BYTES - ctx->h.bCnt); Skein1024_Process_Block(ctx,ctx->b,1,ctx->h.bCnt); /* process the final block */ Skein_Put64_LSB_First(hashVal,ctx->X,SKEIN1024_BLOCK_BYTES); /* "output" the state bytes */ return SKEIN_SUCCESS; } #if SKEIN_TREE_HASH /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ /* just do the OUTPUT stage */ int Skein_256_Output(Skein_256_Ctxt_t *ctx, u08b_t *hashVal) { size_t i,n,byteCnt; u64b_t X[SKEIN_256_STATE_WORDS]; Skein_Assert(ctx->h.bCnt <= SKEIN_256_BLOCK_BYTES,SKEIN_FAIL); /* catch uninitialized context */ /* now output the result */ byteCnt = (ctx->h.hashBitLen + 7) >> 3; /* total number of output bytes */ /* run Threefish in "counter mode" to generate output */ memset(ctx->b,0,sizeof(ctx->b)); /* zero out b[], so it can hold the counter */ memcpy(X,ctx->X,sizeof(X)); /* keep a local copy of counter mode "key" */ for (i=0;i*SKEIN_256_BLOCK_BYTES < byteCnt;i++) { ((u64b_t *)ctx->b)[0]= Skein_Swap64((u64b_t) i); /* build the counter block */ Skein_Start_New_Type(ctx,OUT_FINAL); Skein_256_Process_Block(ctx,ctx->b,1,sizeof(u64b_t)); /* run "counter mode" */ n = byteCnt - i*SKEIN_256_BLOCK_BYTES; /* number of output bytes left to go */ if (n >= SKEIN_256_BLOCK_BYTES) n = SKEIN_256_BLOCK_BYTES; Skein_Put64_LSB_First(hashVal+i*SKEIN_256_BLOCK_BYTES,ctx->X,n); /* "output" the ctr mode bytes */ Skein_Show_Final(256,&ctx->h,n,hashVal+i*SKEIN_256_BLOCK_BYTES); memcpy(ctx->X,X,sizeof(X)); /* restore the counter mode key for next time */ } return SKEIN_SUCCESS; } /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ /* just do the OUTPUT stage */ int Skein_512_Output(Skein_512_Ctxt_t *ctx, u08b_t *hashVal) { size_t i,n,byteCnt; u64b_t X[SKEIN_512_STATE_WORDS]; Skein_Assert(ctx->h.bCnt <= SKEIN_512_BLOCK_BYTES,SKEIN_FAIL); /* catch uninitialized context */ /* now output the result */ byteCnt = (ctx->h.hashBitLen + 7) >> 3; /* total number of output bytes */ /* run Threefish in "counter mode" to generate output */ memset(ctx->b,0,sizeof(ctx->b)); /* zero out b[], so it can hold the counter */ memcpy(X,ctx->X,sizeof(X)); /* keep a local copy of counter mode "key" */ for (i=0;i*SKEIN_512_BLOCK_BYTES < byteCnt;i++) { ((u64b_t *)ctx->b)[0]= Skein_Swap64((u64b_t) i); /* build the counter block */ Skein_Start_New_Type(ctx,OUT_FINAL); Skein_512_Process_Block(ctx,ctx->b,1,sizeof(u64b_t)); /* run "counter mode" */ n = byteCnt - i*SKEIN_512_BLOCK_BYTES; /* number of output bytes left to go */ if (n >= SKEIN_512_BLOCK_BYTES) n = SKEIN_512_BLOCK_BYTES; Skein_Put64_LSB_First(hashVal+i*SKEIN_512_BLOCK_BYTES,ctx->X,n); /* "output" the ctr mode bytes */ Skein_Show_Final(256,&ctx->h,n,hashVal+i*SKEIN_512_BLOCK_BYTES); memcpy(ctx->X,X,sizeof(X)); /* restore the counter mode key for next time */ } return SKEIN_SUCCESS; } /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/ /* just do the OUTPUT stage */ int Skein1024_Output(Skein1024_Ctxt_t *ctx, u08b_t *hashVal) { size_t i,n,byteCnt; u64b_t X[SKEIN1024_STATE_WORDS]; Skein_Assert(ctx->h.bCnt <= SKEIN1024_BLOCK_BYTES,SKEIN_FAIL); /* catch uninitialized context */ /* now output the result */ byteCnt = (ctx->h.hashBitLen + 7) >> 3; /* total number of output bytes */ /* run Threefish in "counter mode" to generate output */ memset(ctx->b,0,sizeof(ctx->b)); /* zero out b[], so it can hold the counter */ memcpy(X,ctx->X,sizeof(X)); /* keep a local copy of counter mode "key" */ for (i=0;i*SKEIN1024_BLOCK_BYTES < byteCnt;i++) { ((u64b_t *)ctx->b)[0]= Skein_Swap64((u64b_t) i); /* build the counter block */ Skein_Start_New_Type(ctx,OUT_FINAL); Skein1024_Process_Block(ctx,ctx->b,1,sizeof(u64b_t)); /* run "counter mode" */ n = byteCnt - i*SKEIN1024_BLOCK_BYTES; /* number of output bytes left to go */ if (n >= SKEIN1024_BLOCK_BYTES) n = SKEIN1024_BLOCK_BYTES; Skein_Put64_LSB_First(hashVal+i*SKEIN1024_BLOCK_BYTES,ctx->X,n); /* "output" the ctr mode bytes */ Skein_Show_Final(256,&ctx->h,n,hashVal+i*SKEIN1024_BLOCK_BYTES); memcpy(ctx->X,X,sizeof(X)); /* restore the counter mode key for next time */ } return SKEIN_SUCCESS; } /* Adapt the functions to match the prototype expected by libmd */ void SKEIN256_Init(SKEIN256_CTX * ctx) { Skein_256_Init(ctx, 256); } void SKEIN512_Init(SKEIN512_CTX * ctx) { Skein_512_Init(ctx, 512); } void SKEIN1024_Init(SKEIN1024_CTX * ctx) { Skein1024_Init(ctx, 1024); } void SKEIN256_Update(SKEIN256_CTX * ctx, const void *in, size_t len) { Skein_256_Update(ctx, in, len); } void SKEIN512_Update(SKEIN512_CTX * ctx, const void *in, size_t len) { Skein_512_Update(ctx, in, len); } void SKEIN1024_Update(SKEIN1024_CTX * ctx, const void *in, size_t len) { Skein1024_Update(ctx, in, len); } void SKEIN256_Final(unsigned char digest[static SKEIN_256_BLOCK_BYTES], SKEIN256_CTX *ctx) { Skein_256_Final(ctx, digest); + explicit_bzero(ctx, sizeof(*ctx)); } void SKEIN512_Final(unsigned char digest[static SKEIN_512_BLOCK_BYTES], SKEIN512_CTX *ctx) { Skein_512_Final(ctx, digest); + explicit_bzero(ctx, sizeof(*ctx)); } void SKEIN1024_Final(unsigned char digest[static SKEIN1024_BLOCK_BYTES], SKEIN1024_CTX *ctx) { Skein1024_Final(ctx, digest); + explicit_bzero(ctx, sizeof(*ctx)); } #ifdef WEAK_REFS /* When building libmd, provide weak references. Note: this is not activated in the context of compiling these sources for internal use in libcrypt. */ #undef SKEIN256_Init __weak_reference(_libmd_SKEIN256_Init, SKEIN256_Init); #undef SKEIN256_Update __weak_reference(_libmd_SKEIN256_Update, SKEIN256_Update); #undef SKEIN256_Final __weak_reference(_libmd_SKEIN256_Final, SKEIN256_Final); #undef SKEIN512_Init __weak_reference(_libmd_SKEIN512_Init, SKEIN512_Init); #undef SKEIN512_Update __weak_reference(_libmd_SKEIN512_Update, SKEIN512_Update); #undef SKEIN512_Final __weak_reference(_libmd_SKEIN512_Final, SKEIN512_Final); #undef SKEIN1024_Init __weak_reference(_libmd_SKEIN1024_Init, SKEIN1024_Init); #undef SKEIN1024_Update __weak_reference(_libmd_SKEIN1024_Update, SKEIN1024_Update); #undef SKEIN1024_Final __weak_reference(_libmd_SKEIN1024_Final, SKEIN1024_Final); #endif #endif