1 /*- 2 * Copyright 2005 Colin Percival 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27 #include <inttypes.h> 28 29 #include <string.h> 30 31 #include "../common.h" 32 #include "sha256.h" 33 34 #if BYTE_ORDER == BIG_ENDIAN 35 36 /* Copy a vector of big-endian uint32_t into a vector of bytes */ 37 #define be32enc_vect(dst, src, len) \ 38 memcpy((void *)dst, (const void *)src, (size_t)len) 39 40 /* Copy a vector of bytes into a vector of big-endian uint32_t */ 41 #define be32dec_vect(dst, src, len) \ 42 memcpy((void *)dst, (const void *)src, (size_t)len) 43 44 #else /* BYTE_ORDER != BIG_ENDIAN */ 45 46 /* 47 * Encode a length len/4 vector of (uint32_t) into a length len vector of 48 * (unsigned char) in big-endian form. Assumes len is a multiple of 4. 49 */ 50 static void 51 be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len) 52 { 53 size_t i; 54 55 for (i = 0; i < len / 4; i++) 56 be32enc(dst + i * 4, src[i]); 57 } 58 59 /* 60 * Decode a big-endian length len vector of (unsigned char) into a length 61 * len/4 vector of (uint32_t). Assumes len is a multiple of 4. 62 */ 63 static void 64 be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len) 65 { 66 size_t i; 67 68 for (i = 0; i < len / 4; i++) 69 dst[i] = be32dec(src + i * 4); 70 } 71 72 #endif /* BYTE_ORDER != BIG_ENDIAN */ 73 74 /* Elementary functions used by SHA256 */ 75 #define Ch(x, y, z) ((x & (y ^ z)) ^ z) 76 #define Maj(x, y, z) ((x & (y | z)) | (y & z)) 77 #define SHR(x, n) (x >> n) 78 #define ROTR(x, n) ((x >> n) | (x << (32 - n))) 79 #define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) 80 #define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) 81 #define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) 82 #define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) 83 84 /* SHA256 round function */ 85 #define RND(a, b, c, d, e, f, g, h, k) \ 86 t0 = h + S1(e) + Ch(e, f, g) + k; \ 87 t1 = S0(a) + Maj(a, b, c); \ 88 d += t0; \ 89 h = t0 + t1; 90 91 /* Adjusted round function for rotating state */ 92 #define RNDr(S, W, i, k) \ 93 RND(S[(64 - i) % 8], S[(65 - i) % 8], \ 94 S[(66 - i) % 8], S[(67 - i) % 8], \ 95 S[(68 - i) % 8], S[(69 - i) % 8], \ 96 S[(70 - i) % 8], S[(71 - i) % 8], \ 97 W[i] + k) 98 99 /* 100 * SHA256 block compression function. The 256-bit state is transformed via 101 * the 512-bit input block to produce a new state. 102 */ 103 static void 104 SHA256_Transform(uint32_t * state, const unsigned char block[64]) 105 { 106 uint32_t W[64]; 107 uint32_t S[8]; 108 uint32_t t0, t1; 109 int i; 110 111 /* 1. Prepare message schedule W. */ 112 be32dec_vect(W, block, 64); 113 for (i = 16; i < 64; i++) 114 W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16]; 115 116 /* 2. Initialize working variables. */ 117 memcpy(S, state, 32); 118 119 /* 3. Mix. */ 120 RNDr(S, W, 0, 0x428a2f98); 121 RNDr(S, W, 1, 0x71374491); 122 RNDr(S, W, 2, 0xb5c0fbcf); 123 RNDr(S, W, 3, 0xe9b5dba5); 124 RNDr(S, W, 4, 0x3956c25b); 125 RNDr(S, W, 5, 0x59f111f1); 126 RNDr(S, W, 6, 0x923f82a4); 127 RNDr(S, W, 7, 0xab1c5ed5); 128 RNDr(S, W, 8, 0xd807aa98); 129 RNDr(S, W, 9, 0x12835b01); 130 RNDr(S, W, 10, 0x243185be); 131 RNDr(S, W, 11, 0x550c7dc3); 132 RNDr(S, W, 12, 0x72be5d74); 133 RNDr(S, W, 13, 0x80deb1fe); 134 RNDr(S, W, 14, 0x9bdc06a7); 135 RNDr(S, W, 15, 0xc19bf174); 136 RNDr(S, W, 16, 0xe49b69c1); 137 RNDr(S, W, 17, 0xefbe4786); 138 RNDr(S, W, 18, 0x0fc19dc6); 139 RNDr(S, W, 19, 0x240ca1cc); 140 RNDr(S, W, 20, 0x2de92c6f); 141 RNDr(S, W, 21, 0x4a7484aa); 142 RNDr(S, W, 22, 0x5cb0a9dc); 143 RNDr(S, W, 23, 0x76f988da); 144 RNDr(S, W, 24, 0x983e5152); 145 RNDr(S, W, 25, 0xa831c66d); 146 RNDr(S, W, 26, 0xb00327c8); 147 RNDr(S, W, 27, 0xbf597fc7); 148 RNDr(S, W, 28, 0xc6e00bf3); 149 RNDr(S, W, 29, 0xd5a79147); 150 RNDr(S, W, 30, 0x06ca6351); 151 RNDr(S, W, 31, 0x14292967); 152 RNDr(S, W, 32, 0x27b70a85); 153 RNDr(S, W, 33, 0x2e1b2138); 154 RNDr(S, W, 34, 0x4d2c6dfc); 155 RNDr(S, W, 35, 0x53380d13); 156 RNDr(S, W, 36, 0x650a7354); 157 RNDr(S, W, 37, 0x766a0abb); 158 RNDr(S, W, 38, 0x81c2c92e); 159 RNDr(S, W, 39, 0x92722c85); 160 RNDr(S, W, 40, 0xa2bfe8a1); 161 RNDr(S, W, 41, 0xa81a664b); 162 RNDr(S, W, 42, 0xc24b8b70); 163 RNDr(S, W, 43, 0xc76c51a3); 164 RNDr(S, W, 44, 0xd192e819); 165 RNDr(S, W, 45, 0xd6990624); 166 RNDr(S, W, 46, 0xf40e3585); 167 RNDr(S, W, 47, 0x106aa070); 168 RNDr(S, W, 48, 0x19a4c116); 169 RNDr(S, W, 49, 0x1e376c08); 170 RNDr(S, W, 50, 0x2748774c); 171 RNDr(S, W, 51, 0x34b0bcb5); 172 RNDr(S, W, 52, 0x391c0cb3); 173 RNDr(S, W, 53, 0x4ed8aa4a); 174 RNDr(S, W, 54, 0x5b9cca4f); 175 RNDr(S, W, 55, 0x682e6ff3); 176 RNDr(S, W, 56, 0x748f82ee); 177 RNDr(S, W, 57, 0x78a5636f); 178 RNDr(S, W, 58, 0x84c87814); 179 RNDr(S, W, 59, 0x8cc70208); 180 RNDr(S, W, 60, 0x90befffa); 181 RNDr(S, W, 61, 0xa4506ceb); 182 RNDr(S, W, 62, 0xbef9a3f7); 183 RNDr(S, W, 63, 0xc67178f2); 184 185 /* 4. Mix local working variables into global state */ 186 for (i = 0; i < 8; i++) 187 state[i] += S[i]; 188 } 189 190 static unsigned char PAD[64] = { 191 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 192 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 193 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 194 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 195 }; 196 197 /* Add padding and terminating bit-count. */ 198 static void 199 SHA256_Pad(SHA256_CTX * ctx) 200 { 201 unsigned char len[8]; 202 uint32_t r, plen; 203 204 /* 205 * Convert length to a vector of bytes -- we do this now rather 206 * than later because the length will change after we pad. 207 */ 208 be64enc(len, ctx->count); 209 210 /* Add 1--64 bytes so that the resulting length is 56 mod 64 */ 211 r = (ctx->count >> 3) & 0x3f; 212 plen = (r < 56) ? (56 - r) : (120 - r); 213 SHA256_Update(ctx, PAD, (size_t)plen); 214 215 /* Add the terminating bit-count */ 216 SHA256_Update(ctx, len, 8); 217 } 218 219 /* SHA-256 initialization. Begins a SHA-256 operation. */ 220 void 221 SHA256_Init(SHA256_CTX * ctx) 222 { 223 224 /* Zero bits processed so far */ 225 ctx->count = 0; 226 227 /* Magic initialization constants */ 228 ctx->state[0] = 0x6A09E667; 229 ctx->state[1] = 0xBB67AE85; 230 ctx->state[2] = 0x3C6EF372; 231 ctx->state[3] = 0xA54FF53A; 232 ctx->state[4] = 0x510E527F; 233 ctx->state[5] = 0x9B05688C; 234 ctx->state[6] = 0x1F83D9AB; 235 ctx->state[7] = 0x5BE0CD19; 236 } 237 238 /* Add bytes into the hash */ 239 void 240 SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len) 241 { 242 uint64_t bitlen; 243 uint32_t r; 244 const unsigned char *src = in; 245 246 /* Number of bytes left in the buffer from previous updates */ 247 r = (ctx->count >> 3) & 0x3f; 248 249 /* Convert the length into a number of bits */ 250 bitlen = len << 3; 251 252 /* Update number of bits */ 253 ctx->count += bitlen; 254 255 /* Handle the case where we don't need to perform any transforms */ 256 if (len < 64 - r) { 257 memcpy(&ctx->buf[r], src, len); 258 return; 259 } 260 261 /* Finish the current block */ 262 memcpy(&ctx->buf[r], src, 64 - r); 263 SHA256_Transform(ctx->state, ctx->buf); 264 src += 64 - r; 265 len -= 64 - r; 266 267 /* Perform complete blocks */ 268 while (len >= 64) { 269 SHA256_Transform(ctx->state, src); 270 src += 64; 271 len -= 64; 272 } 273 274 /* Copy left over data into buffer */ 275 memcpy(ctx->buf, src, len); 276 } 277 278 /* 279 * SHA-256 finalization. Pads the input data, exports the hash value, 280 * and clears the context state. 281 */ 282 void 283 SHA256_Final(unsigned char digest[32], SHA256_CTX * ctx) 284 { 285 286 /* Add padding */ 287 SHA256_Pad(ctx); 288 289 /* Write the hash */ 290 be32enc_vect(digest, ctx->state, 32); 291 292 /* Clear the context state */ 293 memset((void *)ctx, 0, sizeof(*ctx)); 294 } 295
