1 /*-
2 * Copyright 2005 Colin Percival
3 * All rights reserved.
4 *
5 * SPDX-License-Identifier: BSD-2-Clause
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 *
28 * From:
29 * $FreeBSD: sys/crypto/sha2/sha256c.c 300966 2016-05-29 17:26:40Z cperciva $
30 */
31
32 #include "config.h"
33
34 #if defined(HAVE_SYS_ENDIAN_H)
35 # include <sys/types.h>
36 # include <sys/endian.h>
37 # define VBYTE_ORDER _BYTE_ORDER
38 # define VBIG_ENDIAN _BIG_ENDIAN
39 #elif defined(HAVE_ENDIAN_H)
40 # include <endian.h>
41 # define VBYTE_ORDER __BYTE_ORDER
42 # define VBIG_ENDIAN __BIG_ENDIAN
43 #endif
44
45 #include <stdint.h>
46 #include <string.h>
47
48 #include "vdef.h"
49
50 #include "vas.h"
51 #include "vend.h"
52 #include "vsha256.h"
53
54 #if defined(VBYTE_ORDER) && VBYTE_ORDER == VBIG_ENDIAN
55
56 /* Copy a vector of big-endian uint32_t into a vector of bytes */
57 #define be32enc_vect(dst, src, len) \
58 memcpy((void *)dst, (const void *)src, (size_t)len)
59
60 /* Copy a vector of bytes into a vector of big-endian uint32_t */
61 #define be32dec_vect(dst, src, len) \
62 memcpy((void *)dst, (const void *)src, (size_t)len)
63
64 #else /* BYTE_ORDER != BIG_ENDIAN or in doubt... */
65
66 /*
67 * Encode a length len/4 vector of (uint32_t) into a length len vector of
68 * (unsigned char) in big-endian form. Assumes len is a multiple of 4.
69 */
70 static void
be32enc_vect(unsigned char * dst,const uint32_t * src,size_t len)71 be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
72 {
73 size_t i;
74
75 for (i = 0; i < len / 4; i++)
76 vbe32enc(dst + i * 4, src[i]);
77 }
78
79 /*
80 * Decode a big-endian length len vector of (unsigned char) into a length
81 * len/4 vector of (uint32_t). Assumes len is a multiple of 4.
82 */
83 static void
be32dec_vect(uint32_t * dst,const unsigned char * src,size_t len)84 be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
85 {
86 size_t i;
87
88 for (i = 0; i < len / 4; i++)
89 dst[i] = vbe32dec(src + i * 4);
90 }
91
92 #endif /* BYTE_ORDER != BIG_ENDIAN */
93
94 /* SHA256 round constants. */
95 static const uint32_t K[64] = {
96 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
97 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
98 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
99 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
100 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
101 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
102 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
103 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
104 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
105 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
106 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
107 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
108 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
109 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
110 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
111 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
112 };
113
114 /* Elementary functions used by SHA256 */
115 #define Ch(x, y, z) ((x & (y ^ z)) ^ z)
116 #define Maj(x, y, z) ((x & (y | z)) | (y & z))
117 #define SHR(x, n) (x >> n)
118 #define ROTR(x, n) ((x >> n) | (x << (32 - n)))
119 #define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
120 #define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
121 #define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
122 #define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
123
124 /* SHA256 round function */
125 #define RND(a, b, c, d, e, f, g, h, k) \
126 do { \
127 h += S1(e) + Ch(e, f, g) + (k); \
128 d += h; \
129 h += S0(a) + Maj(a, b, c); \
130 } while (0)
131
132 /* Adjusted round function for rotating state */
133 #define RNDr(S, W, i, ii) \
134 RND(S[(64 - i) % 8], S[(65 - i) % 8], \
135 S[(66 - i) % 8], S[(67 - i) % 8], \
136 S[(68 - i) % 8], S[(69 - i) % 8], \
137 S[(70 - i) % 8], S[(71 - i) % 8], \
138 W[i + ii] + K[i + ii])
139
140 /* Message schedule computation */
141 #define MSCH(W, ii, i) \
142 do { \
143 W[i + ii + 16] = \
144 s1(W[i + ii + 14]) + W[i + ii + 9] + \
145 s0(W[i + ii + 1]) + W[i + ii]; \
146 } while (0)
147
148 /*
149 * SHA256 block compression function. The 256-bit state is transformed via
150 * the 512-bit input block to produce a new state.
151 */
152 static void
VSHA256_Transform(uint32_t * state,const unsigned char block[64])153 VSHA256_Transform(uint32_t * state, const unsigned char block[64])
154 {
155 uint32_t W[64];
156 uint32_t S[8];
157 int i;
158
159 /* 1. Prepare the first part of the message schedule W. */
160 be32dec_vect(W, block, 64);
161
162 /* 2. Initialize working variables. */
163 memcpy(S, state, 32);
164
165 /* 3. Mix. */
166 for (i = 0; i < 64; i += 16) {
167 RNDr(S, W, 0, i);
168 RNDr(S, W, 1, i);
169 RNDr(S, W, 2, i);
170 RNDr(S, W, 3, i);
171 RNDr(S, W, 4, i);
172 RNDr(S, W, 5, i);
173 RNDr(S, W, 6, i);
174 RNDr(S, W, 7, i);
175 RNDr(S, W, 8, i);
176 RNDr(S, W, 9, i);
177 RNDr(S, W, 10, i);
178 RNDr(S, W, 11, i);
179 RNDr(S, W, 12, i);
180 RNDr(S, W, 13, i);
181 RNDr(S, W, 14, i);
182 RNDr(S, W, 15, i);
183
184 if (i == 48)
185 break;
186 MSCH(W, 0, i);
187 MSCH(W, 1, i);
188 MSCH(W, 2, i);
189 MSCH(W, 3, i);
190 MSCH(W, 4, i);
191 MSCH(W, 5, i);
192 MSCH(W, 6, i);
193 MSCH(W, 7, i);
194 MSCH(W, 8, i);
195 MSCH(W, 9, i);
196 MSCH(W, 10, i);
197 MSCH(W, 11, i);
198 MSCH(W, 12, i);
199 MSCH(W, 13, i);
200 MSCH(W, 14, i);
201 MSCH(W, 15, i);
202 }
203
204 /* 4. Mix local working variables into global state */
205 for (i = 0; i < 8; i++)
206 state[i] += S[i];
207 }
208
209 static const unsigned char PAD[64] = {
210 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
211 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
212 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
213 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
214 };
215
216 /* Add padding and terminating bit-count. */
217 static void
VSHA256_Pad(VSHA256_CTX * ctx)218 VSHA256_Pad(VSHA256_CTX * ctx)
219 {
220 size_t r;
221
222 /* Figure out how many bytes we have buffered. */
223 r = (ctx->count >> 3) & 0x3f;
224
225 /* Pad to 56 mod 64, transforming if we finish a block en route. */
226 if (r < 56) {
227 /* Pad to 56 mod 64. */
228 memcpy(&ctx->buf[r], PAD, 56 - r);
229 } else {
230 /* Finish the current block and mix. */
231 memcpy(&ctx->buf[r], PAD, 64 - r);
232 VSHA256_Transform(ctx->state, ctx->buf);
233
234 /* The start of the final block is all zeroes. */
235 memset(&ctx->buf[0], 0, 56);
236 }
237
238 /* Add the terminating bit-count. */
239 vbe64enc(&ctx->buf[56], ctx->count);
240
241 /* Mix in the final block. */
242 VSHA256_Transform(ctx->state, ctx->buf);
243 }
244
245 /* SHA-256 initialization. Begins a SHA-256 operation. */
246 void
VSHA256_Init(VSHA256_CTX * ctx)247 VSHA256_Init(VSHA256_CTX * ctx)
248 {
249
250 /* Zero bits processed so far */
251 ctx->count = 0;
252
253 /* Magic initialization constants */
254 ctx->state[0] = 0x6A09E667;
255 ctx->state[1] = 0xBB67AE85;
256 ctx->state[2] = 0x3C6EF372;
257 ctx->state[3] = 0xA54FF53A;
258 ctx->state[4] = 0x510E527F;
259 ctx->state[5] = 0x9B05688C;
260 ctx->state[6] = 0x1F83D9AB;
261 ctx->state[7] = 0x5BE0CD19;
262 }
263
264 /* Add bytes into the hash */
265 void
VSHA256_Update(VSHA256_CTX * ctx,const void * in,size_t len)266 VSHA256_Update(VSHA256_CTX * ctx, const void *in, size_t len)
267 {
268 uint64_t bitlen;
269 uint32_t r;
270 const unsigned char *src = in;
271
272 /* Number of bytes left in the buffer from previous updates */
273 r = (ctx->count >> 3) & 0x3f;
274
275 /* Convert the length into a number of bits */
276 bitlen = len << 3;
277
278 /* Update number of bits */
279 ctx->count += bitlen;
280
281 /* Handle the case where we don't need to perform any transforms */
282 if (len < 64 - r) {
283 memcpy(&ctx->buf[r], src, len);
284 return;
285 }
286
287 /* Finish the current block */
288 memcpy(&ctx->buf[r], src, 64 - r);
289 VSHA256_Transform(ctx->state, ctx->buf);
290 src += 64 - r;
291 len -= 64 - r;
292
293 /* Perform complete blocks */
294 while (len >= 64) {
295 VSHA256_Transform(ctx->state, src);
296 src += 64;
297 len -= 64;
298 }
299
300 /* Copy left over data into buffer */
301 memcpy(ctx->buf, src, len);
302 }
303
304 /*
305 * SHA-256 finalization. Pads the input data, exports the hash value,
306 * and clears the context state.
307 */
308 void
VSHA256_Final(unsigned char digest[static VSHA256_DIGEST_LENGTH],VSHA256_CTX * ctx)309 VSHA256_Final(unsigned char digest[static VSHA256_DIGEST_LENGTH],
310 VSHA256_CTX *ctx)
311 {
312
313 /* Add padding */
314 VSHA256_Pad(ctx);
315
316 /* Write the hash */
317 be32enc_vect(digest, ctx->state, VSHA256_DIGEST_LENGTH);
318
319 /* Clear the context state */
320 memset((void *)ctx, 0, sizeof(*ctx));
321 }
322
323 /*
324 * A few test-vectors, just in case
325 */
326
327 static const struct sha256test {
328 const char *input;
329 const unsigned char output[32];
330 } sha256test[] = {
331 { "",
332 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4,
333 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b,
334 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55} },
335 { "message digest",
336 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5,
337 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb,
338 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50} },
339 { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
340 {0xdb, 0x4b, 0xfc, 0xbd, 0x4d, 0xa0, 0xcd, 0x85, 0xa6, 0x0c, 0x3c,
341 0x37, 0xd3, 0xfb, 0xd8, 0x80, 0x5c, 0x77, 0xf1, 0x5f, 0xc6, 0xb1,
342 0xfd, 0xfe, 0x61, 0x4e, 0xe0, 0xa7, 0xc8, 0xfd, 0xb4, 0xc0} },
343 { NULL }
344 };
345
346
347 void
VSHA256_Test(void)348 VSHA256_Test(void)
349 {
350 struct VSHA256Context c;
351 const struct sha256test *p;
352 unsigned char o[32];
353
354 for (p = sha256test; p->input != NULL; p++) {
355 VSHA256_Init(&c);
356 VSHA256_Update(&c, p->input, strlen(p->input));
357 VSHA256_Final(o, &c);
358 AZ(memcmp(o, p->output, 32));
359 }
360 }
361