1 /*
2  * sha512.c - implementation of SHA256, SHA384 and SHA512
3  *
4  * ***** BEGIN LICENSE BLOCK *****
5  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6  *
7  * The contents of this file are subject to the Mozilla Public License Version
8  * 1.1 (the "License"); you may not use this file except in compliance with
9  * the License. You may obtain a copy of the License at
10  * http://www.mozilla.org/MPL/
11  *
12  * Software distributed under the License is distributed on an "AS IS" basis,
13  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14  * for the specific language governing rights and limitations under the
15  * License.
16  *
17  * The Original Code is the Netscape security libraries.
18  *
19  * The Initial Developer of the Original Code is
20  * Netscape Communications Corporation.
21  * Portions created by the Initial Developer are Copyright (C) 2002
22  * the Initial Developer. All Rights Reserved.
23  *
24  * Contributor(s):
25  *
26  * Alternatively, the contents of this file may be used under the terms of
27  * either the GNU General Public License Version 2 or later (the "GPL"), or
28  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
29  * in which case the provisions of the GPL or the LGPL are applicable instead
30  * of those above. If you wish to allow use of your version of this file only
31  * under the terms of either the GPL or the LGPL, and not to allow others to
32  * use your version of this file under the terms of the MPL, indicate your
33  * decision by deleting the provisions above and replace them with the notice
34  * and other provisions required by the GPL or the LGPL. If you do not delete
35  * the provisions above, a recipient may use your version of this file under
36  * the terms of any one of the MPL, the GPL or the LGPL.
37  *
38  * ***** END LICENSE BLOCK ***** */
39 /* $Id: sha512.c,v 1.9 2006/10/13 16:54:04 wtchang%redhat.com Exp $ */
40 
41 // Prevent manual unrolling in the sha256 code, which reduces the binary code
42 // size from ~10k to ~1k.  The performance should be reasonable for our use.
43 #define NOUNROLL256 1
44 
45 #include "crypto/third_party/nss/chromium-prtypes.h"  /* for PRUintXX */
46 #if defined(_X86_) || defined(SHA_NO_LONG_LONG)
47 #define NOUNROLL512 1
48 #undef HAVE_LONG_LONG
49 #endif
50 #include "crypto/third_party/nss/chromium-blapi.h"
51 #include "crypto/third_party/nss/chromium-sha256.h"    /* for struct SHA256ContextStr */
52 
53 #include <stdlib.h>
54 #include <string.h>
55 #define PORT_New(type) static_cast<type*>(malloc(sizeof(type)))
56 #define PORT_ZFree(ptr, len) do { memset(ptr, 0, len); free(ptr); } while (0)
57 #define PORT_Strlen(s) static_cast<unsigned int>(strlen(s))
58 #define PORT_Memcpy memcpy
59 
60 /* ============= Common constants and defines ======================= */
61 
62 #define W ctx->u.w
63 #define B ctx->u.b
64 #define H ctx->h
65 
66 #define SHR(x,n) (x >> n)
67 #define SHL(x,n) (x << n)
68 #define Ch(x,y,z)  ((x & y) ^ (~x & z))
69 #define Maj(x,y,z) ((x & y) ^ (x & z) ^ (y & z))
70 
71 /* Padding used with all flavors of SHA */
72 static const PRUint8 pad[240] = {
73 0x80,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
74    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
75    /* compiler will fill the rest in with zeros */
76 };
77 
78 /* ============= SHA256 implemenmtation ================================== */
79 
80 /* SHA-256 constants, K256. */
81 static const PRUint32 K256[64] = {
82     0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
83     0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
84     0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
85     0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
86     0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
87     0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
88     0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
89     0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
90     0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
91     0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
92     0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
93     0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
94     0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
95     0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
96     0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
97     0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
98 };
99 
100 /* SHA-256 initial hash values */
101 static const PRUint32 H256[8] = {
102     0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
103     0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
104 };
105 
106 #if defined(_MSC_VER) && defined(_X86_)
107 #ifndef FORCEINLINE
108 #if (_MSC_VER >= 1200)
109 #define FORCEINLINE __forceinline
110 #else
111 #define FORCEINLINE __inline
112 #endif
113 #endif
114 #define FASTCALL __fastcall
115 
116 static FORCEINLINE PRUint32 FASTCALL
swap4b(PRUint32 dwd)117 swap4b(PRUint32 dwd)
118 {
119     __asm {
120     	mov   eax,dwd
121 	bswap eax
122     }
123 }
124 
125 #define SHA_HTONL(x) swap4b(x)
126 #define BYTESWAP4(x)  x = SHA_HTONL(x)
127 
128 #elif defined(LINUX) && defined(_X86_)
129 #undef  __OPTIMIZE__
130 #define __OPTIMIZE__ 1
131 #undef  __pentium__
132 #define __pentium__ 1
133 #include <byteswap.h>
134 #define SHA_HTONL(x) bswap_32(x)
135 #define BYTESWAP4(x)  x = SHA_HTONL(x)
136 
137 #else /* neither windows nor Linux PC */
138 #define SWAP4MASK  0x00FF00FF
139 #define SHA_HTONL(x) (t1 = (x), t1 = (t1 << 16) | (t1 >> 16), \
140                       ((t1 & SWAP4MASK) << 8) | ((t1 >> 8) & SWAP4MASK))
141 #define BYTESWAP4(x)  x = SHA_HTONL(x)
142 #endif
143 
144 #if defined(_MSC_VER) && defined(_X86_)
145 #pragma intrinsic (_lrotr, _lrotl)
146 #define ROTR32(x,n) _lrotr(x,n)
147 #define ROTL32(x,n) _lrotl(x,n)
148 #else
149 #define ROTR32(x,n) ((x >> n) | (x << ((8 * sizeof x) - n)))
150 #define ROTL32(x,n) ((x << n) | (x >> ((8 * sizeof x) - n)))
151 #endif
152 
153 /* Capitol Sigma and lower case sigma functions */
154 #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x,22))
155 #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x,25))
156 #define s0(x) (t1 = x, ROTR32(t1, 7) ^ ROTR32(t1,18) ^ SHR(t1, 3))
157 #define s1(x) (t2 = x, ROTR32(t2,17) ^ ROTR32(t2,19) ^ SHR(t2,10))
158 
159 SHA256Context *
SHA256_NewContext(void)160 SHA256_NewContext(void)
161 {
162     SHA256Context *ctx = PORT_New(SHA256Context);
163     return ctx;
164 }
165 
166 void
SHA256_DestroyContext(SHA256Context * ctx,PRBool freeit)167 SHA256_DestroyContext(SHA256Context *ctx, PRBool freeit)
168 {
169     if (freeit) {
170         PORT_ZFree(ctx, sizeof *ctx);
171     }
172 }
173 
174 void
SHA256_Begin(SHA256Context * ctx)175 SHA256_Begin(SHA256Context *ctx)
176 {
177     memset(ctx, 0, sizeof *ctx);
178     memcpy(H, H256, sizeof H256);
179 }
180 
181 static void
SHA256_Compress(SHA256Context * ctx)182 SHA256_Compress(SHA256Context *ctx)
183 {
184   {
185     register PRUint32 t1, t2;
186 
187 #if defined(IS_LITTLE_ENDIAN)
188     BYTESWAP4(W[0]);
189     BYTESWAP4(W[1]);
190     BYTESWAP4(W[2]);
191     BYTESWAP4(W[3]);
192     BYTESWAP4(W[4]);
193     BYTESWAP4(W[5]);
194     BYTESWAP4(W[6]);
195     BYTESWAP4(W[7]);
196     BYTESWAP4(W[8]);
197     BYTESWAP4(W[9]);
198     BYTESWAP4(W[10]);
199     BYTESWAP4(W[11]);
200     BYTESWAP4(W[12]);
201     BYTESWAP4(W[13]);
202     BYTESWAP4(W[14]);
203     BYTESWAP4(W[15]);
204 #endif
205 
206 #define INITW(t) W[t] = (s1(W[t-2]) + W[t-7] + s0(W[t-15]) + W[t-16])
207 
208     /* prepare the "message schedule"   */
209 #ifdef NOUNROLL256
210     {
211 	int t;
212 	for (t = 16; t < 64; ++t) {
213 	    INITW(t);
214 	}
215     }
216 #else
217     INITW(16);
218     INITW(17);
219     INITW(18);
220     INITW(19);
221 
222     INITW(20);
223     INITW(21);
224     INITW(22);
225     INITW(23);
226     INITW(24);
227     INITW(25);
228     INITW(26);
229     INITW(27);
230     INITW(28);
231     INITW(29);
232 
233     INITW(30);
234     INITW(31);
235     INITW(32);
236     INITW(33);
237     INITW(34);
238     INITW(35);
239     INITW(36);
240     INITW(37);
241     INITW(38);
242     INITW(39);
243 
244     INITW(40);
245     INITW(41);
246     INITW(42);
247     INITW(43);
248     INITW(44);
249     INITW(45);
250     INITW(46);
251     INITW(47);
252     INITW(48);
253     INITW(49);
254 
255     INITW(50);
256     INITW(51);
257     INITW(52);
258     INITW(53);
259     INITW(54);
260     INITW(55);
261     INITW(56);
262     INITW(57);
263     INITW(58);
264     INITW(59);
265 
266     INITW(60);
267     INITW(61);
268     INITW(62);
269     INITW(63);
270 
271 #endif
272 #undef INITW
273   }
274   {
275     PRUint32 a, b, c, d, e, f, g, h;
276 
277     a = H[0];
278     b = H[1];
279     c = H[2];
280     d = H[3];
281     e = H[4];
282     f = H[5];
283     g = H[6];
284     h = H[7];
285 
286 #define ROUND(n,a,b,c,d,e,f,g,h) \
287     h += S1(e) + Ch(e,f,g) + K256[n] + W[n]; \
288     d += h; \
289     h += S0(a) + Maj(a,b,c);
290 
291 #ifdef NOUNROLL256
292     {
293 	int t;
294 	for (t = 0; t < 64; t+= 8) {
295 	    ROUND(t+0,a,b,c,d,e,f,g,h)
296 	    ROUND(t+1,h,a,b,c,d,e,f,g)
297 	    ROUND(t+2,g,h,a,b,c,d,e,f)
298 	    ROUND(t+3,f,g,h,a,b,c,d,e)
299 	    ROUND(t+4,e,f,g,h,a,b,c,d)
300 	    ROUND(t+5,d,e,f,g,h,a,b,c)
301 	    ROUND(t+6,c,d,e,f,g,h,a,b)
302 	    ROUND(t+7,b,c,d,e,f,g,h,a)
303 	}
304     }
305 #else
306     ROUND( 0,a,b,c,d,e,f,g,h)
307     ROUND( 1,h,a,b,c,d,e,f,g)
308     ROUND( 2,g,h,a,b,c,d,e,f)
309     ROUND( 3,f,g,h,a,b,c,d,e)
310     ROUND( 4,e,f,g,h,a,b,c,d)
311     ROUND( 5,d,e,f,g,h,a,b,c)
312     ROUND( 6,c,d,e,f,g,h,a,b)
313     ROUND( 7,b,c,d,e,f,g,h,a)
314 
315     ROUND( 8,a,b,c,d,e,f,g,h)
316     ROUND( 9,h,a,b,c,d,e,f,g)
317     ROUND(10,g,h,a,b,c,d,e,f)
318     ROUND(11,f,g,h,a,b,c,d,e)
319     ROUND(12,e,f,g,h,a,b,c,d)
320     ROUND(13,d,e,f,g,h,a,b,c)
321     ROUND(14,c,d,e,f,g,h,a,b)
322     ROUND(15,b,c,d,e,f,g,h,a)
323 
324     ROUND(16,a,b,c,d,e,f,g,h)
325     ROUND(17,h,a,b,c,d,e,f,g)
326     ROUND(18,g,h,a,b,c,d,e,f)
327     ROUND(19,f,g,h,a,b,c,d,e)
328     ROUND(20,e,f,g,h,a,b,c,d)
329     ROUND(21,d,e,f,g,h,a,b,c)
330     ROUND(22,c,d,e,f,g,h,a,b)
331     ROUND(23,b,c,d,e,f,g,h,a)
332 
333     ROUND(24,a,b,c,d,e,f,g,h)
334     ROUND(25,h,a,b,c,d,e,f,g)
335     ROUND(26,g,h,a,b,c,d,e,f)
336     ROUND(27,f,g,h,a,b,c,d,e)
337     ROUND(28,e,f,g,h,a,b,c,d)
338     ROUND(29,d,e,f,g,h,a,b,c)
339     ROUND(30,c,d,e,f,g,h,a,b)
340     ROUND(31,b,c,d,e,f,g,h,a)
341 
342     ROUND(32,a,b,c,d,e,f,g,h)
343     ROUND(33,h,a,b,c,d,e,f,g)
344     ROUND(34,g,h,a,b,c,d,e,f)
345     ROUND(35,f,g,h,a,b,c,d,e)
346     ROUND(36,e,f,g,h,a,b,c,d)
347     ROUND(37,d,e,f,g,h,a,b,c)
348     ROUND(38,c,d,e,f,g,h,a,b)
349     ROUND(39,b,c,d,e,f,g,h,a)
350 
351     ROUND(40,a,b,c,d,e,f,g,h)
352     ROUND(41,h,a,b,c,d,e,f,g)
353     ROUND(42,g,h,a,b,c,d,e,f)
354     ROUND(43,f,g,h,a,b,c,d,e)
355     ROUND(44,e,f,g,h,a,b,c,d)
356     ROUND(45,d,e,f,g,h,a,b,c)
357     ROUND(46,c,d,e,f,g,h,a,b)
358     ROUND(47,b,c,d,e,f,g,h,a)
359 
360     ROUND(48,a,b,c,d,e,f,g,h)
361     ROUND(49,h,a,b,c,d,e,f,g)
362     ROUND(50,g,h,a,b,c,d,e,f)
363     ROUND(51,f,g,h,a,b,c,d,e)
364     ROUND(52,e,f,g,h,a,b,c,d)
365     ROUND(53,d,e,f,g,h,a,b,c)
366     ROUND(54,c,d,e,f,g,h,a,b)
367     ROUND(55,b,c,d,e,f,g,h,a)
368 
369     ROUND(56,a,b,c,d,e,f,g,h)
370     ROUND(57,h,a,b,c,d,e,f,g)
371     ROUND(58,g,h,a,b,c,d,e,f)
372     ROUND(59,f,g,h,a,b,c,d,e)
373     ROUND(60,e,f,g,h,a,b,c,d)
374     ROUND(61,d,e,f,g,h,a,b,c)
375     ROUND(62,c,d,e,f,g,h,a,b)
376     ROUND(63,b,c,d,e,f,g,h,a)
377 #endif
378 
379     H[0] += a;
380     H[1] += b;
381     H[2] += c;
382     H[3] += d;
383     H[4] += e;
384     H[5] += f;
385     H[6] += g;
386     H[7] += h;
387   }
388 #undef ROUND
389 }
390 
391 #undef s0
392 #undef s1
393 #undef S0
394 #undef S1
395 
396 void
SHA256_Update(SHA256Context * ctx,const unsigned char * input,unsigned int inputLen)397 SHA256_Update(SHA256Context *ctx, const unsigned char *input,
398 		    unsigned int inputLen)
399 {
400     unsigned int inBuf = ctx->sizeLo & 0x3f;
401     if (!inputLen)
402     	return;
403 
404     /* Add inputLen into the count of bytes processed, before processing */
405     if ((ctx->sizeLo += inputLen) < inputLen)
406     	ctx->sizeHi++;
407 
408     /* if data already in buffer, attemp to fill rest of buffer */
409     if (inBuf) {
410     	unsigned int todo = SHA256_BLOCK_LENGTH - inBuf;
411 	if (inputLen < todo)
412 	    todo = inputLen;
413 	memcpy(B + inBuf, input, todo);
414 	input    += todo;
415 	inputLen -= todo;
416 	if (inBuf + todo == SHA256_BLOCK_LENGTH)
417 	    SHA256_Compress(ctx);
418     }
419 
420     /* if enough data to fill one or more whole buffers, process them. */
421     while (inputLen >= SHA256_BLOCK_LENGTH) {
422     	memcpy(B, input, SHA256_BLOCK_LENGTH);
423 	input    += SHA256_BLOCK_LENGTH;
424 	inputLen -= SHA256_BLOCK_LENGTH;
425 	SHA256_Compress(ctx);
426     }
427     /* if data left over, fill it into buffer */
428     if (inputLen)
429     	memcpy(B, input, inputLen);
430 }
431 
432 void
SHA256_End(SHA256Context * ctx,unsigned char * digest,unsigned int * digestLen,unsigned int maxDigestLen)433 SHA256_End(SHA256Context *ctx, unsigned char *digest,
434            unsigned int *digestLen, unsigned int maxDigestLen)
435 {
436     unsigned int inBuf = ctx->sizeLo & 0x3f;
437     unsigned int padLen = (inBuf < 56) ? (56 - inBuf) : (56 + 64 - inBuf);
438     PRUint32 hi, lo;
439 #ifdef SWAP4MASK
440     PRUint32 t1;
441 #endif
442 
443     hi = (ctx->sizeHi << 3) | (ctx->sizeLo >> 29);
444     lo = (ctx->sizeLo << 3);
445 
446     SHA256_Update(ctx, pad, padLen);
447 
448 #if defined(IS_LITTLE_ENDIAN)
449     W[14] = SHA_HTONL(hi);
450     W[15] = SHA_HTONL(lo);
451 #else
452     W[14] = hi;
453     W[15] = lo;
454 #endif
455     SHA256_Compress(ctx);
456 
457     /* now output the answer */
458 #if defined(IS_LITTLE_ENDIAN)
459     BYTESWAP4(H[0]);
460     BYTESWAP4(H[1]);
461     BYTESWAP4(H[2]);
462     BYTESWAP4(H[3]);
463     BYTESWAP4(H[4]);
464     BYTESWAP4(H[5]);
465     BYTESWAP4(H[6]);
466     BYTESWAP4(H[7]);
467 #endif
468     padLen = PR_MIN(SHA256_LENGTH, maxDigestLen);
469     memcpy(digest, H, padLen);
470     if (digestLen)
471 	*digestLen = padLen;
472 }
473 
SHA256_Clone(SHA256Context * dest,SHA256Context * src)474 void SHA256_Clone(SHA256Context* dest, SHA256Context* src)
475 {
476   memcpy(dest, src, sizeof *dest);
477 }
478 
479 /* Comment out unused code, mostly the SHA384 and SHA512 implementations. */
480 #if 0
481 SECStatus
482 SHA256_HashBuf(unsigned char *dest, const unsigned char *src,
483                unsigned int src_length)
484 {
485     SHA256Context ctx;
486     unsigned int outLen;
487 
488     SHA256_Begin(&ctx);
489     SHA256_Update(&ctx, src, src_length);
490     SHA256_End(&ctx, dest, &outLen, SHA256_LENGTH);
491 
492     return SECSuccess;
493 }
494 
495 
496 SECStatus
497 SHA256_Hash(unsigned char *dest, const char *src)
498 {
499     return SHA256_HashBuf(dest, (const unsigned char *)src, PORT_Strlen(src));
500 }
501 
502 
503 void SHA256_TraceState(SHA256Context *ctx) { }
504 
505 unsigned int
506 SHA256_FlattenSize(SHA256Context *ctx)
507 {
508     return sizeof *ctx;
509 }
510 
511 SECStatus
512 SHA256_Flatten(SHA256Context *ctx,unsigned char *space)
513 {
514     PORT_Memcpy(space, ctx, sizeof *ctx);
515     return SECSuccess;
516 }
517 
518 SHA256Context *
519 SHA256_Resurrect(unsigned char *space, void *arg)
520 {
521     SHA256Context *ctx = SHA256_NewContext();
522     if (ctx)
523 	PORT_Memcpy(ctx, space, sizeof *ctx);
524     return ctx;
525 }
526 
527 /* ======= SHA512 and SHA384 common constants and defines ================= */
528 
529 /* common #defines for SHA512 and SHA384 */
530 #if defined(HAVE_LONG_LONG)
531 #define ROTR64(x,n) ((x >> n) | (x << (64 - n)))
532 #define ROTL64(x,n) ((x << n) | (x >> (64 - n)))
533 
534 #define S0(x) (ROTR64(x,28) ^ ROTR64(x,34) ^ ROTR64(x,39))
535 #define S1(x) (ROTR64(x,14) ^ ROTR64(x,18) ^ ROTR64(x,41))
536 #define s0(x) (t1 = x, ROTR64(t1, 1) ^ ROTR64(t1, 8) ^ SHR(t1,7))
537 #define s1(x) (t2 = x, ROTR64(t2,19) ^ ROTR64(t2,61) ^ SHR(t2,6))
538 
539 #if PR_BYTES_PER_LONG == 8
540 #define ULLC(hi,lo) 0x ## hi ## lo ## UL
541 #elif defined(_MSC_VER)
542 #define ULLC(hi,lo) 0x ## hi ## lo ## ui64
543 #else
544 #define ULLC(hi,lo) 0x ## hi ## lo ## ULL
545 #endif
546 
547 #define SHA_MASK16 ULLC(0000FFFF,0000FFFF)
548 #define SHA_MASK8  ULLC(00FF00FF,00FF00FF)
549 #define SHA_HTONLL(x) (t1 = x, \
550   t1 = ((t1 & SHA_MASK8 ) <<  8) | ((t1 >>  8) & SHA_MASK8 ), \
551   t1 = ((t1 & SHA_MASK16) << 16) | ((t1 >> 16) & SHA_MASK16), \
552   (t1 >> 32) | (t1 << 32))
553 #define BYTESWAP8(x)  x = SHA_HTONLL(x)
554 
555 #else /* no long long */
556 
557 #if defined(IS_LITTLE_ENDIAN)
558 #define ULLC(hi,lo) { 0x ## lo ## U, 0x ## hi ## U }
559 #else
560 #define ULLC(hi,lo) { 0x ## hi ## U, 0x ## lo ## U }
561 #endif
562 
563 #define SHA_HTONLL(x) ( BYTESWAP4(x.lo), BYTESWAP4(x.hi), \
564    x.hi ^= x.lo ^= x.hi ^= x.lo, x)
565 #define BYTESWAP8(x)  do { PRUint32 tmp; BYTESWAP4(x.lo); BYTESWAP4(x.hi); \
566    tmp = x.lo; x.lo = x.hi; x.hi = tmp; } while (0)
567 #endif
568 
569 /* SHA-384 and SHA-512 constants, K512. */
570 static const PRUint64 K512[80] = {
571 #if PR_BYTES_PER_LONG == 8
572      0x428a2f98d728ae22UL ,  0x7137449123ef65cdUL ,
573      0xb5c0fbcfec4d3b2fUL ,  0xe9b5dba58189dbbcUL ,
574      0x3956c25bf348b538UL ,  0x59f111f1b605d019UL ,
575      0x923f82a4af194f9bUL ,  0xab1c5ed5da6d8118UL ,
576      0xd807aa98a3030242UL ,  0x12835b0145706fbeUL ,
577      0x243185be4ee4b28cUL ,  0x550c7dc3d5ffb4e2UL ,
578      0x72be5d74f27b896fUL ,  0x80deb1fe3b1696b1UL ,
579      0x9bdc06a725c71235UL ,  0xc19bf174cf692694UL ,
580      0xe49b69c19ef14ad2UL ,  0xefbe4786384f25e3UL ,
581      0x0fc19dc68b8cd5b5UL ,  0x240ca1cc77ac9c65UL ,
582      0x2de92c6f592b0275UL ,  0x4a7484aa6ea6e483UL ,
583      0x5cb0a9dcbd41fbd4UL ,  0x76f988da831153b5UL ,
584      0x983e5152ee66dfabUL ,  0xa831c66d2db43210UL ,
585      0xb00327c898fb213fUL ,  0xbf597fc7beef0ee4UL ,
586      0xc6e00bf33da88fc2UL ,  0xd5a79147930aa725UL ,
587      0x06ca6351e003826fUL ,  0x142929670a0e6e70UL ,
588      0x27b70a8546d22ffcUL ,  0x2e1b21385c26c926UL ,
589      0x4d2c6dfc5ac42aedUL ,  0x53380d139d95b3dfUL ,
590      0x650a73548baf63deUL ,  0x766a0abb3c77b2a8UL ,
591      0x81c2c92e47edaee6UL ,  0x92722c851482353bUL ,
592      0xa2bfe8a14cf10364UL ,  0xa81a664bbc423001UL ,
593      0xc24b8b70d0f89791UL ,  0xc76c51a30654be30UL ,
594      0xd192e819d6ef5218UL ,  0xd69906245565a910UL ,
595      0xf40e35855771202aUL ,  0x106aa07032bbd1b8UL ,
596      0x19a4c116b8d2d0c8UL ,  0x1e376c085141ab53UL ,
597      0x2748774cdf8eeb99UL ,  0x34b0bcb5e19b48a8UL ,
598      0x391c0cb3c5c95a63UL ,  0x4ed8aa4ae3418acbUL ,
599      0x5b9cca4f7763e373UL ,  0x682e6ff3d6b2b8a3UL ,
600      0x748f82ee5defb2fcUL ,  0x78a5636f43172f60UL ,
601      0x84c87814a1f0ab72UL ,  0x8cc702081a6439ecUL ,
602      0x90befffa23631e28UL ,  0xa4506cebde82bde9UL ,
603      0xbef9a3f7b2c67915UL ,  0xc67178f2e372532bUL ,
604      0xca273eceea26619cUL ,  0xd186b8c721c0c207UL ,
605      0xeada7dd6cde0eb1eUL ,  0xf57d4f7fee6ed178UL ,
606      0x06f067aa72176fbaUL ,  0x0a637dc5a2c898a6UL ,
607      0x113f9804bef90daeUL ,  0x1b710b35131c471bUL ,
608      0x28db77f523047d84UL ,  0x32caab7b40c72493UL ,
609      0x3c9ebe0a15c9bebcUL ,  0x431d67c49c100d4cUL ,
610      0x4cc5d4becb3e42b6UL ,  0x597f299cfc657e2aUL ,
611      0x5fcb6fab3ad6faecUL ,  0x6c44198c4a475817UL
612 #else
613     ULLC(428a2f98,d728ae22), ULLC(71374491,23ef65cd),
614     ULLC(b5c0fbcf,ec4d3b2f), ULLC(e9b5dba5,8189dbbc),
615     ULLC(3956c25b,f348b538), ULLC(59f111f1,b605d019),
616     ULLC(923f82a4,af194f9b), ULLC(ab1c5ed5,da6d8118),
617     ULLC(d807aa98,a3030242), ULLC(12835b01,45706fbe),
618     ULLC(243185be,4ee4b28c), ULLC(550c7dc3,d5ffb4e2),
619     ULLC(72be5d74,f27b896f), ULLC(80deb1fe,3b1696b1),
620     ULLC(9bdc06a7,25c71235), ULLC(c19bf174,cf692694),
621     ULLC(e49b69c1,9ef14ad2), ULLC(efbe4786,384f25e3),
622     ULLC(0fc19dc6,8b8cd5b5), ULLC(240ca1cc,77ac9c65),
623     ULLC(2de92c6f,592b0275), ULLC(4a7484aa,6ea6e483),
624     ULLC(5cb0a9dc,bd41fbd4), ULLC(76f988da,831153b5),
625     ULLC(983e5152,ee66dfab), ULLC(a831c66d,2db43210),
626     ULLC(b00327c8,98fb213f), ULLC(bf597fc7,beef0ee4),
627     ULLC(c6e00bf3,3da88fc2), ULLC(d5a79147,930aa725),
628     ULLC(06ca6351,e003826f), ULLC(14292967,0a0e6e70),
629     ULLC(27b70a85,46d22ffc), ULLC(2e1b2138,5c26c926),
630     ULLC(4d2c6dfc,5ac42aed), ULLC(53380d13,9d95b3df),
631     ULLC(650a7354,8baf63de), ULLC(766a0abb,3c77b2a8),
632     ULLC(81c2c92e,47edaee6), ULLC(92722c85,1482353b),
633     ULLC(a2bfe8a1,4cf10364), ULLC(a81a664b,bc423001),
634     ULLC(c24b8b70,d0f89791), ULLC(c76c51a3,0654be30),
635     ULLC(d192e819,d6ef5218), ULLC(d6990624,5565a910),
636     ULLC(f40e3585,5771202a), ULLC(106aa070,32bbd1b8),
637     ULLC(19a4c116,b8d2d0c8), ULLC(1e376c08,5141ab53),
638     ULLC(2748774c,df8eeb99), ULLC(34b0bcb5,e19b48a8),
639     ULLC(391c0cb3,c5c95a63), ULLC(4ed8aa4a,e3418acb),
640     ULLC(5b9cca4f,7763e373), ULLC(682e6ff3,d6b2b8a3),
641     ULLC(748f82ee,5defb2fc), ULLC(78a5636f,43172f60),
642     ULLC(84c87814,a1f0ab72), ULLC(8cc70208,1a6439ec),
643     ULLC(90befffa,23631e28), ULLC(a4506ceb,de82bde9),
644     ULLC(bef9a3f7,b2c67915), ULLC(c67178f2,e372532b),
645     ULLC(ca273ece,ea26619c), ULLC(d186b8c7,21c0c207),
646     ULLC(eada7dd6,cde0eb1e), ULLC(f57d4f7f,ee6ed178),
647     ULLC(06f067aa,72176fba), ULLC(0a637dc5,a2c898a6),
648     ULLC(113f9804,bef90dae), ULLC(1b710b35,131c471b),
649     ULLC(28db77f5,23047d84), ULLC(32caab7b,40c72493),
650     ULLC(3c9ebe0a,15c9bebc), ULLC(431d67c4,9c100d4c),
651     ULLC(4cc5d4be,cb3e42b6), ULLC(597f299c,fc657e2a),
652     ULLC(5fcb6fab,3ad6faec), ULLC(6c44198c,4a475817)
653 #endif
654 };
655 
656 struct SHA512ContextStr {
657     union {
658 	PRUint64 w[80];	    /* message schedule, input buffer, plus 64 words */
659 	PRUint32 l[160];
660 	PRUint8  b[640];
661     } u;
662     PRUint64 h[8];	    /* 8 state variables */
663     PRUint64 sizeLo;	    /* 64-bit count of hashed bytes. */
664 };
665 
666 /* =========== SHA512 implementation ===================================== */
667 
668 /* SHA-512 initial hash values */
669 static const PRUint64 H512[8] = {
670 #if PR_BYTES_PER_LONG == 8
671      0x6a09e667f3bcc908UL ,  0xbb67ae8584caa73bUL ,
672      0x3c6ef372fe94f82bUL ,  0xa54ff53a5f1d36f1UL ,
673      0x510e527fade682d1UL ,  0x9b05688c2b3e6c1fUL ,
674      0x1f83d9abfb41bd6bUL ,  0x5be0cd19137e2179UL
675 #else
676     ULLC(6a09e667,f3bcc908), ULLC(bb67ae85,84caa73b),
677     ULLC(3c6ef372,fe94f82b), ULLC(a54ff53a,5f1d36f1),
678     ULLC(510e527f,ade682d1), ULLC(9b05688c,2b3e6c1f),
679     ULLC(1f83d9ab,fb41bd6b), ULLC(5be0cd19,137e2179)
680 #endif
681 };
682 
683 
684 SHA512Context *
685 SHA512_NewContext(void)
686 {
687     SHA512Context *ctx = PORT_New(SHA512Context);
688     return ctx;
689 }
690 
691 void
692 SHA512_DestroyContext(SHA512Context *ctx, PRBool freeit)
693 {
694     if (freeit) {
695         PORT_ZFree(ctx, sizeof *ctx);
696     }
697 }
698 
699 void
700 SHA512_Begin(SHA512Context *ctx)
701 {
702     memset(ctx, 0, sizeof *ctx);
703     memcpy(H, H512, sizeof H512);
704 }
705 
706 #if defined(SHA512_TRACE)
707 #if defined(HAVE_LONG_LONG)
708 #define DUMP(n,a,d,e,h) printf(" t = %2d, %s = %016lx, %s = %016lx\n", \
709 			       n, #e, d, #a, h);
710 #else
711 #define DUMP(n,a,d,e,h) printf(" t = %2d, %s = %08x%08x, %s = %08x%08x\n", \
712 			       n, #e, d.hi, d.lo, #a, h.hi, h.lo);
713 #endif
714 #else
715 #define DUMP(n,a,d,e,h)
716 #endif
717 
718 #if defined(HAVE_LONG_LONG)
719 
720 #define ADDTO(x,y) y += x
721 
722 #define INITW(t) W[t] = (s1(W[t-2]) + W[t-7] + s0(W[t-15]) + W[t-16])
723 
724 #define ROUND(n,a,b,c,d,e,f,g,h) \
725     h += S1(e) + Ch(e,f,g) + K512[n] + W[n]; \
726     d += h; \
727     h += S0(a) + Maj(a,b,c); \
728     DUMP(n,a,d,e,h)
729 
730 #else /* use only 32-bit variables, and don't unroll loops */
731 
732 #undef  NOUNROLL512
733 #define NOUNROLL512 1
734 
735 #define ADDTO(x,y) y.lo += x.lo; y.hi += x.hi + (x.lo > y.lo)
736 
737 #define ROTR64a(x,n,lo,hi) (x.lo >> n | x.hi << (32-n))
738 #define ROTR64A(x,n,lo,hi) (x.lo << (64-n) | x.hi >> (n-32))
739 #define  SHR64a(x,n,lo,hi) (x.lo >> n | x.hi << (32-n))
740 
741 /* Capitol Sigma and lower case sigma functions */
742 #define s0lo(x) (ROTR64a(x,1,lo,hi) ^ ROTR64a(x,8,lo,hi) ^ SHR64a(x,7,lo,hi))
743 #define s0hi(x) (ROTR64a(x,1,hi,lo) ^ ROTR64a(x,8,hi,lo) ^ (x.hi >> 7))
744 
745 #define s1lo(x) (ROTR64a(x,19,lo,hi) ^ ROTR64A(x,61,lo,hi) ^ SHR64a(x,6,lo,hi))
746 #define s1hi(x) (ROTR64a(x,19,hi,lo) ^ ROTR64A(x,61,hi,lo) ^ (x.hi >> 6))
747 
748 #define S0lo(x)(ROTR64a(x,28,lo,hi) ^ ROTR64A(x,34,lo,hi) ^ ROTR64A(x,39,lo,hi))
749 #define S0hi(x)(ROTR64a(x,28,hi,lo) ^ ROTR64A(x,34,hi,lo) ^ ROTR64A(x,39,hi,lo))
750 
751 #define S1lo(x)(ROTR64a(x,14,lo,hi) ^ ROTR64a(x,18,lo,hi) ^ ROTR64A(x,41,lo,hi))
752 #define S1hi(x)(ROTR64a(x,14,hi,lo) ^ ROTR64a(x,18,hi,lo) ^ ROTR64A(x,41,hi,lo))
753 
754 /* 32-bit versions of Ch and Maj */
755 #define Chxx(x,y,z,lo) ((x.lo & y.lo) ^ (~x.lo & z.lo))
756 #define Majx(x,y,z,lo) ((x.lo & y.lo) ^ (x.lo & z.lo) ^ (y.lo & z.lo))
757 
758 #define INITW(t) \
759     do { \
760 	PRUint32 lo, tm; \
761 	PRUint32 cy = 0; \
762 	lo = s1lo(W[t-2]); \
763 	lo += (tm = W[t-7].lo);     if (lo < tm) cy++; \
764 	lo += (tm = s0lo(W[t-15])); if (lo < tm) cy++; \
765 	lo += (tm = W[t-16].lo);    if (lo < tm) cy++; \
766 	W[t].lo = lo; \
767 	W[t].hi = cy + s1hi(W[t-2]) + W[t-7].hi + s0hi(W[t-15]) + W[t-16].hi; \
768     } while (0)
769 
770 #define ROUND(n,a,b,c,d,e,f,g,h) \
771     { \
772 	PRUint32 lo, tm, cy; \
773 	lo  = S1lo(e); \
774 	lo += (tm = Chxx(e,f,g,lo));    cy = (lo < tm); \
775 	lo += (tm = K512[n].lo);	if (lo < tm) cy++; \
776 	lo += (tm =    W[n].lo);	if (lo < tm) cy++; \
777 	h.lo += lo;			if (h.lo < lo) cy++; \
778 	h.hi += cy + S1hi(e) + Chxx(e,f,g,hi) + K512[n].hi + W[n].hi; \
779 	d.lo += h.lo; \
780 	d.hi += h.hi + (d.lo < h.lo); \
781 	lo  = S0lo(a);  \
782 	lo += (tm = Majx(a,b,c,lo));	cy = (lo < tm); \
783 	h.lo += lo;			if (h.lo < lo) cy++; \
784 	h.hi += cy + S0hi(a) + Majx(a,b,c,hi); \
785 	DUMP(n,a,d,e,h) \
786     }
787 #endif
788 
789 static void
790 SHA512_Compress(SHA512Context *ctx)
791 {
792 #if defined(IS_LITTLE_ENDIAN)
793   {
794 #if defined(HAVE_LONG_LONG)
795     PRUint64 t1;
796 #else
797     PRUint32 t1;
798 #endif
799     BYTESWAP8(W[0]);
800     BYTESWAP8(W[1]);
801     BYTESWAP8(W[2]);
802     BYTESWAP8(W[3]);
803     BYTESWAP8(W[4]);
804     BYTESWAP8(W[5]);
805     BYTESWAP8(W[6]);
806     BYTESWAP8(W[7]);
807     BYTESWAP8(W[8]);
808     BYTESWAP8(W[9]);
809     BYTESWAP8(W[10]);
810     BYTESWAP8(W[11]);
811     BYTESWAP8(W[12]);
812     BYTESWAP8(W[13]);
813     BYTESWAP8(W[14]);
814     BYTESWAP8(W[15]);
815   }
816 #endif
817 
818   {
819     PRUint64 t1, t2;
820 #ifdef NOUNROLL512
821     {
822 	/* prepare the "message schedule"   */
823 	int t;
824 	for (t = 16; t < 80; ++t) {
825 	    INITW(t);
826 	}
827     }
828 #else
829     INITW(16);
830     INITW(17);
831     INITW(18);
832     INITW(19);
833 
834     INITW(20);
835     INITW(21);
836     INITW(22);
837     INITW(23);
838     INITW(24);
839     INITW(25);
840     INITW(26);
841     INITW(27);
842     INITW(28);
843     INITW(29);
844 
845     INITW(30);
846     INITW(31);
847     INITW(32);
848     INITW(33);
849     INITW(34);
850     INITW(35);
851     INITW(36);
852     INITW(37);
853     INITW(38);
854     INITW(39);
855 
856     INITW(40);
857     INITW(41);
858     INITW(42);
859     INITW(43);
860     INITW(44);
861     INITW(45);
862     INITW(46);
863     INITW(47);
864     INITW(48);
865     INITW(49);
866 
867     INITW(50);
868     INITW(51);
869     INITW(52);
870     INITW(53);
871     INITW(54);
872     INITW(55);
873     INITW(56);
874     INITW(57);
875     INITW(58);
876     INITW(59);
877 
878     INITW(60);
879     INITW(61);
880     INITW(62);
881     INITW(63);
882     INITW(64);
883     INITW(65);
884     INITW(66);
885     INITW(67);
886     INITW(68);
887     INITW(69);
888 
889     INITW(70);
890     INITW(71);
891     INITW(72);
892     INITW(73);
893     INITW(74);
894     INITW(75);
895     INITW(76);
896     INITW(77);
897     INITW(78);
898     INITW(79);
899 #endif
900   }
901 #ifdef SHA512_TRACE
902   {
903     int i;
904     for (i = 0; i < 80; ++i) {
905 #ifdef HAVE_LONG_LONG
906 	printf("W[%2d] = %016lx\n", i, W[i]);
907 #else
908 	printf("W[%2d] = %08x%08x\n", i, W[i].hi, W[i].lo);
909 #endif
910     }
911   }
912 #endif
913   {
914     PRUint64 a, b, c, d, e, f, g, h;
915 
916     a = H[0];
917     b = H[1];
918     c = H[2];
919     d = H[3];
920     e = H[4];
921     f = H[5];
922     g = H[6];
923     h = H[7];
924 
925 #ifdef NOUNROLL512
926     {
927 	int t;
928 	for (t = 0; t < 80; t+= 8) {
929 	    ROUND(t+0,a,b,c,d,e,f,g,h)
930 	    ROUND(t+1,h,a,b,c,d,e,f,g)
931 	    ROUND(t+2,g,h,a,b,c,d,e,f)
932 	    ROUND(t+3,f,g,h,a,b,c,d,e)
933 	    ROUND(t+4,e,f,g,h,a,b,c,d)
934 	    ROUND(t+5,d,e,f,g,h,a,b,c)
935 	    ROUND(t+6,c,d,e,f,g,h,a,b)
936 	    ROUND(t+7,b,c,d,e,f,g,h,a)
937 	}
938     }
939 #else
940     ROUND( 0,a,b,c,d,e,f,g,h)
941     ROUND( 1,h,a,b,c,d,e,f,g)
942     ROUND( 2,g,h,a,b,c,d,e,f)
943     ROUND( 3,f,g,h,a,b,c,d,e)
944     ROUND( 4,e,f,g,h,a,b,c,d)
945     ROUND( 5,d,e,f,g,h,a,b,c)
946     ROUND( 6,c,d,e,f,g,h,a,b)
947     ROUND( 7,b,c,d,e,f,g,h,a)
948 
949     ROUND( 8,a,b,c,d,e,f,g,h)
950     ROUND( 9,h,a,b,c,d,e,f,g)
951     ROUND(10,g,h,a,b,c,d,e,f)
952     ROUND(11,f,g,h,a,b,c,d,e)
953     ROUND(12,e,f,g,h,a,b,c,d)
954     ROUND(13,d,e,f,g,h,a,b,c)
955     ROUND(14,c,d,e,f,g,h,a,b)
956     ROUND(15,b,c,d,e,f,g,h,a)
957 
958     ROUND(16,a,b,c,d,e,f,g,h)
959     ROUND(17,h,a,b,c,d,e,f,g)
960     ROUND(18,g,h,a,b,c,d,e,f)
961     ROUND(19,f,g,h,a,b,c,d,e)
962     ROUND(20,e,f,g,h,a,b,c,d)
963     ROUND(21,d,e,f,g,h,a,b,c)
964     ROUND(22,c,d,e,f,g,h,a,b)
965     ROUND(23,b,c,d,e,f,g,h,a)
966 
967     ROUND(24,a,b,c,d,e,f,g,h)
968     ROUND(25,h,a,b,c,d,e,f,g)
969     ROUND(26,g,h,a,b,c,d,e,f)
970     ROUND(27,f,g,h,a,b,c,d,e)
971     ROUND(28,e,f,g,h,a,b,c,d)
972     ROUND(29,d,e,f,g,h,a,b,c)
973     ROUND(30,c,d,e,f,g,h,a,b)
974     ROUND(31,b,c,d,e,f,g,h,a)
975 
976     ROUND(32,a,b,c,d,e,f,g,h)
977     ROUND(33,h,a,b,c,d,e,f,g)
978     ROUND(34,g,h,a,b,c,d,e,f)
979     ROUND(35,f,g,h,a,b,c,d,e)
980     ROUND(36,e,f,g,h,a,b,c,d)
981     ROUND(37,d,e,f,g,h,a,b,c)
982     ROUND(38,c,d,e,f,g,h,a,b)
983     ROUND(39,b,c,d,e,f,g,h,a)
984 
985     ROUND(40,a,b,c,d,e,f,g,h)
986     ROUND(41,h,a,b,c,d,e,f,g)
987     ROUND(42,g,h,a,b,c,d,e,f)
988     ROUND(43,f,g,h,a,b,c,d,e)
989     ROUND(44,e,f,g,h,a,b,c,d)
990     ROUND(45,d,e,f,g,h,a,b,c)
991     ROUND(46,c,d,e,f,g,h,a,b)
992     ROUND(47,b,c,d,e,f,g,h,a)
993 
994     ROUND(48,a,b,c,d,e,f,g,h)
995     ROUND(49,h,a,b,c,d,e,f,g)
996     ROUND(50,g,h,a,b,c,d,e,f)
997     ROUND(51,f,g,h,a,b,c,d,e)
998     ROUND(52,e,f,g,h,a,b,c,d)
999     ROUND(53,d,e,f,g,h,a,b,c)
1000     ROUND(54,c,d,e,f,g,h,a,b)
1001     ROUND(55,b,c,d,e,f,g,h,a)
1002 
1003     ROUND(56,a,b,c,d,e,f,g,h)
1004     ROUND(57,h,a,b,c,d,e,f,g)
1005     ROUND(58,g,h,a,b,c,d,e,f)
1006     ROUND(59,f,g,h,a,b,c,d,e)
1007     ROUND(60,e,f,g,h,a,b,c,d)
1008     ROUND(61,d,e,f,g,h,a,b,c)
1009     ROUND(62,c,d,e,f,g,h,a,b)
1010     ROUND(63,b,c,d,e,f,g,h,a)
1011 
1012     ROUND(64,a,b,c,d,e,f,g,h)
1013     ROUND(65,h,a,b,c,d,e,f,g)
1014     ROUND(66,g,h,a,b,c,d,e,f)
1015     ROUND(67,f,g,h,a,b,c,d,e)
1016     ROUND(68,e,f,g,h,a,b,c,d)
1017     ROUND(69,d,e,f,g,h,a,b,c)
1018     ROUND(70,c,d,e,f,g,h,a,b)
1019     ROUND(71,b,c,d,e,f,g,h,a)
1020 
1021     ROUND(72,a,b,c,d,e,f,g,h)
1022     ROUND(73,h,a,b,c,d,e,f,g)
1023     ROUND(74,g,h,a,b,c,d,e,f)
1024     ROUND(75,f,g,h,a,b,c,d,e)
1025     ROUND(76,e,f,g,h,a,b,c,d)
1026     ROUND(77,d,e,f,g,h,a,b,c)
1027     ROUND(78,c,d,e,f,g,h,a,b)
1028     ROUND(79,b,c,d,e,f,g,h,a)
1029 #endif
1030 
1031     ADDTO(a,H[0]);
1032     ADDTO(b,H[1]);
1033     ADDTO(c,H[2]);
1034     ADDTO(d,H[3]);
1035     ADDTO(e,H[4]);
1036     ADDTO(f,H[5]);
1037     ADDTO(g,H[6]);
1038     ADDTO(h,H[7]);
1039   }
1040 }
1041 
1042 void
1043 SHA512_Update(SHA512Context *ctx, const unsigned char *input,
1044               unsigned int inputLen)
1045 {
1046     unsigned int inBuf;
1047     if (!inputLen)
1048     	return;
1049 
1050 #if defined(HAVE_LONG_LONG)
1051     inBuf = (unsigned int)ctx->sizeLo & 0x7f;
1052     /* Add inputLen into the count of bytes processed, before processing */
1053     ctx->sizeLo += inputLen;
1054 #else
1055     inBuf = (unsigned int)ctx->sizeLo.lo & 0x7f;
1056     ctx->sizeLo.lo += inputLen;
1057     if (ctx->sizeLo.lo < inputLen) ctx->sizeLo.hi++;
1058 #endif
1059 
1060     /* if data already in buffer, attemp to fill rest of buffer */
1061     if (inBuf) {
1062     	unsigned int todo = SHA512_BLOCK_LENGTH - inBuf;
1063 	if (inputLen < todo)
1064 	    todo = inputLen;
1065 	memcpy(B + inBuf, input, todo);
1066 	input    += todo;
1067 	inputLen -= todo;
1068 	if (inBuf + todo == SHA512_BLOCK_LENGTH)
1069 	    SHA512_Compress(ctx);
1070     }
1071 
1072     /* if enough data to fill one or more whole buffers, process them. */
1073     while (inputLen >= SHA512_BLOCK_LENGTH) {
1074     	memcpy(B, input, SHA512_BLOCK_LENGTH);
1075 	input    += SHA512_BLOCK_LENGTH;
1076 	inputLen -= SHA512_BLOCK_LENGTH;
1077 	SHA512_Compress(ctx);
1078     }
1079     /* if data left over, fill it into buffer */
1080     if (inputLen)
1081     	memcpy(B, input, inputLen);
1082 }
1083 
1084 void
1085 SHA512_End(SHA512Context *ctx, unsigned char *digest,
1086            unsigned int *digestLen, unsigned int maxDigestLen)
1087 {
1088 #if defined(HAVE_LONG_LONG)
1089     unsigned int inBuf  = (unsigned int)ctx->sizeLo & 0x7f;
1090     unsigned int padLen = (inBuf < 112) ? (112 - inBuf) : (112 + 128 - inBuf);
1091     PRUint64 lo, t1;
1092     lo = (ctx->sizeLo << 3);
1093 #else
1094     unsigned int inBuf  = (unsigned int)ctx->sizeLo.lo & 0x7f;
1095     unsigned int padLen = (inBuf < 112) ? (112 - inBuf) : (112 + 128 - inBuf);
1096     PRUint64 lo = ctx->sizeLo;
1097     PRUint32 t1;
1098     lo.lo <<= 3;
1099 #endif
1100 
1101     SHA512_Update(ctx, pad, padLen);
1102 
1103 #if defined(HAVE_LONG_LONG)
1104     W[14] = 0;
1105 #else
1106     W[14].lo = 0;
1107     W[14].hi = 0;
1108 #endif
1109 
1110     W[15] = lo;
1111 #if defined(IS_LITTLE_ENDIAN)
1112     BYTESWAP8(W[15]);
1113 #endif
1114     SHA512_Compress(ctx);
1115 
1116     /* now output the answer */
1117 #if defined(IS_LITTLE_ENDIAN)
1118     BYTESWAP8(H[0]);
1119     BYTESWAP8(H[1]);
1120     BYTESWAP8(H[2]);
1121     BYTESWAP8(H[3]);
1122     BYTESWAP8(H[4]);
1123     BYTESWAP8(H[5]);
1124     BYTESWAP8(H[6]);
1125     BYTESWAP8(H[7]);
1126 #endif
1127     padLen = PR_MIN(SHA512_LENGTH, maxDigestLen);
1128     memcpy(digest, H, padLen);
1129     if (digestLen)
1130 	*digestLen = padLen;
1131 }
1132 
1133 SECStatus
1134 SHA512_HashBuf(unsigned char *dest, const unsigned char *src,
1135                unsigned int src_length)
1136 {
1137     SHA512Context ctx;
1138     unsigned int outLen;
1139 
1140     SHA512_Begin(&ctx);
1141     SHA512_Update(&ctx, src, src_length);
1142     SHA512_End(&ctx, dest, &outLen, SHA512_LENGTH);
1143 
1144     return SECSuccess;
1145 }
1146 
1147 
1148 SECStatus
1149 SHA512_Hash(unsigned char *dest, const char *src)
1150 {
1151     return SHA512_HashBuf(dest, (const unsigned char *)src, PORT_Strlen(src));
1152 }
1153 
1154 
1155 void SHA512_TraceState(SHA512Context *ctx) { }
1156 
1157 unsigned int
1158 SHA512_FlattenSize(SHA512Context *ctx)
1159 {
1160     return sizeof *ctx;
1161 }
1162 
1163 SECStatus
1164 SHA512_Flatten(SHA512Context *ctx,unsigned char *space)
1165 {
1166     PORT_Memcpy(space, ctx, sizeof *ctx);
1167     return SECSuccess;
1168 }
1169 
1170 SHA512Context *
1171 SHA512_Resurrect(unsigned char *space, void *arg)
1172 {
1173     SHA512Context *ctx = SHA512_NewContext();
1174     if (ctx)
1175 	PORT_Memcpy(ctx, space, sizeof *ctx);
1176     return ctx;
1177 }
1178 
1179 void SHA512_Clone(SHA512Context *dest, SHA512Context *src)
1180 {
1181     memcpy(dest, src, sizeof *dest);
1182 }
1183 
1184 /* ======================================================================= */
1185 /* SHA384 uses a SHA512Context as the real context.
1186 ** The only differences between SHA384 an SHA512 are:
1187 ** a) the intialization values for the context, and
1188 ** b) the number of bytes of data produced as output.
1189 */
1190 
1191 /* SHA-384 initial hash values */
1192 static const PRUint64 H384[8] = {
1193 #if PR_BYTES_PER_LONG == 8
1194      0xcbbb9d5dc1059ed8UL ,  0x629a292a367cd507UL ,
1195      0x9159015a3070dd17UL ,  0x152fecd8f70e5939UL ,
1196      0x67332667ffc00b31UL ,  0x8eb44a8768581511UL ,
1197      0xdb0c2e0d64f98fa7UL ,  0x47b5481dbefa4fa4UL
1198 #else
1199     ULLC(cbbb9d5d,c1059ed8), ULLC(629a292a,367cd507),
1200     ULLC(9159015a,3070dd17), ULLC(152fecd8,f70e5939),
1201     ULLC(67332667,ffc00b31), ULLC(8eb44a87,68581511),
1202     ULLC(db0c2e0d,64f98fa7), ULLC(47b5481d,befa4fa4)
1203 #endif
1204 };
1205 
1206 SHA384Context *
1207 SHA384_NewContext(void)
1208 {
1209     return SHA512_NewContext();
1210 }
1211 
1212 void
1213 SHA384_DestroyContext(SHA384Context *ctx, PRBool freeit)
1214 {
1215     SHA512_DestroyContext(ctx, freeit);
1216 }
1217 
1218 void
1219 SHA384_Begin(SHA384Context *ctx)
1220 {
1221     memset(ctx, 0, sizeof *ctx);
1222     memcpy(H, H384, sizeof H384);
1223 }
1224 
1225 void
1226 SHA384_Update(SHA384Context *ctx, const unsigned char *input,
1227 		    unsigned int inputLen)
1228 {
1229     SHA512_Update(ctx, input, inputLen);
1230 }
1231 
1232 void
1233 SHA384_End(SHA384Context *ctx, unsigned char *digest,
1234 		 unsigned int *digestLen, unsigned int maxDigestLen)
1235 {
1236 #define SHA_MIN(a,b) (a < b ? a : b)
1237     unsigned int maxLen = SHA_MIN(maxDigestLen, SHA384_LENGTH);
1238     SHA512_End(ctx, digest, digestLen, maxLen);
1239 }
1240 
1241 SECStatus
1242 SHA384_HashBuf(unsigned char *dest, const unsigned char *src,
1243 			  unsigned int src_length)
1244 {
1245     SHA512Context ctx;
1246     unsigned int outLen;
1247 
1248     SHA384_Begin(&ctx);
1249     SHA512_Update(&ctx, src, src_length);
1250     SHA512_End(&ctx, dest, &outLen, SHA384_LENGTH);
1251 
1252     return SECSuccess;
1253 }
1254 
1255 SECStatus
1256 SHA384_Hash(unsigned char *dest, const char *src)
1257 {
1258     return SHA384_HashBuf(dest, (const unsigned char *)src, PORT_Strlen(src));
1259 }
1260 
1261 void SHA384_TraceState(SHA384Context *ctx) { }
1262 
1263 unsigned int
1264 SHA384_FlattenSize(SHA384Context *ctx)
1265 {
1266     return sizeof(SHA384Context);
1267 }
1268 
1269 SECStatus
1270 SHA384_Flatten(SHA384Context *ctx,unsigned char *space)
1271 {
1272     return SHA512_Flatten(ctx, space);
1273 }
1274 
1275 SHA384Context *
1276 SHA384_Resurrect(unsigned char *space, void *arg)
1277 {
1278     return SHA512_Resurrect(space, arg);
1279 }
1280 
1281 void SHA384_Clone(SHA384Context *dest, SHA384Context *src)
1282 {
1283     memcpy(dest, src, sizeof *dest);
1284 }
1285 #endif  /* Comment out unused code. */
1286 
1287 /* ======================================================================= */
1288 #ifdef SELFTEST
1289 #include <stdio.h>
1290 
1291 static const char abc[] = { "abc" };
1292 static const char abcdbc[] = {
1293     "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
1294 };
1295 static const char abcdef[] = {
1296     "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
1297     "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu"
1298 };
1299 
1300 void
dumpHash32(const unsigned char * buf,unsigned int bufLen)1301 dumpHash32(const unsigned char *buf, unsigned int bufLen)
1302 {
1303     unsigned int i;
1304     for (i = 0; i < bufLen; i += 4) {
1305 	printf(" %02x%02x%02x%02x", buf[i], buf[i+1], buf[i+2], buf[i+3]);
1306     }
1307     printf("\n");
1308 }
1309 
test256(void)1310 void test256(void)
1311 {
1312     unsigned char outBuf[SHA256_LENGTH];
1313 
1314     printf("SHA256, input = %s\n", abc);
1315     SHA256_Hash(outBuf, abc);
1316     dumpHash32(outBuf, sizeof outBuf);
1317 
1318     printf("SHA256, input = %s\n", abcdbc);
1319     SHA256_Hash(outBuf, abcdbc);
1320     dumpHash32(outBuf, sizeof outBuf);
1321 }
1322 
1323 void
dumpHash64(const unsigned char * buf,unsigned int bufLen)1324 dumpHash64(const unsigned char *buf, unsigned int bufLen)
1325 {
1326     unsigned int i;
1327     for (i = 0; i < bufLen; i += 8) {
1328     	if (i % 32 == 0)
1329 	    printf("\n");
1330 	printf(" %02x%02x%02x%02x%02x%02x%02x%02x",
1331 	       buf[i  ], buf[i+1], buf[i+2], buf[i+3],
1332 	       buf[i+4], buf[i+5], buf[i+6], buf[i+7]);
1333     }
1334     printf("\n");
1335 }
1336 
test512(void)1337 void test512(void)
1338 {
1339     unsigned char outBuf[SHA512_LENGTH];
1340 
1341     printf("SHA512, input = %s\n", abc);
1342     SHA512_Hash(outBuf, abc);
1343     dumpHash64(outBuf, sizeof outBuf);
1344 
1345     printf("SHA512, input = %s\n", abcdef);
1346     SHA512_Hash(outBuf, abcdef);
1347     dumpHash64(outBuf, sizeof outBuf);
1348 }
1349 
time512(void)1350 void time512(void)
1351 {
1352     unsigned char outBuf[SHA512_LENGTH];
1353 
1354     SHA512_Hash(outBuf, abc);
1355     SHA512_Hash(outBuf, abcdef);
1356 }
1357 
test384(void)1358 void test384(void)
1359 {
1360     unsigned char outBuf[SHA384_LENGTH];
1361 
1362     printf("SHA384, input = %s\n", abc);
1363     SHA384_Hash(outBuf, abc);
1364     dumpHash64(outBuf, sizeof outBuf);
1365 
1366     printf("SHA384, input = %s\n", abcdef);
1367     SHA384_Hash(outBuf, abcdef);
1368     dumpHash64(outBuf, sizeof outBuf);
1369 }
1370 
main(int argc,char * argv[],char * envp[])1371 int main (int argc, char *argv[], char *envp[])
1372 {
1373     int i = 1;
1374     if (argc > 1) {
1375     	i = atoi(argv[1]);
1376     }
1377     if (i < 2) {
1378 	test256();
1379 	test512();
1380 	test384();
1381     } else {
1382     	while (i-- > 0) {
1383 	    time512();
1384 	}
1385 	printf("done\n");
1386     }
1387     return 0;
1388 }
1389 
1390 #endif
1391