1
2 /*-
3 * Copyright 2005,2007,2009 Colin Percival
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 *
27 */
28
29 #include <limits.h>
30 #include <stdint.h>
31 #include <stdlib.h>
32 #include <string.h>
33
34 #include <sys/types.h>
35
36 #include "crypto_hash_sha256.h"
37 #include "private/common.h"
38 #include "utils.h"
39
40 static void
be32enc_vect(unsigned char * dst,const uint32_t * src,size_t len)41 be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
42 {
43 size_t i;
44
45 for (i = 0; i < len / 4; i++) {
46 STORE32_BE(dst + i * 4, src[i]);
47 }
48 }
49
50 static void
be32dec_vect(uint32_t * dst,const unsigned char * src,size_t len)51 be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
52 {
53 size_t i;
54
55 for (i = 0; i < len / 4; i++) {
56 dst[i] = LOAD32_BE(src + i * 4);
57 }
58 }
59
60 static const uint32_t Krnd[64] = {
61 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
62 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
63 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
64 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
65 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
66 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
67 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
68 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
69 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
70 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
71 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
72 };
73
74 #define Ch(x, y, z) ((x & (y ^ z)) ^ z)
75 #define Maj(x, y, z) ((x & (y | z)) | (y & z))
76 #define SHR(x, n) (x >> n)
77 #define ROTR(x, n) ROTR32(x, n)
78 #define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
79 #define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
80 #define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
81 #define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
82
83 #define RND(a, b, c, d, e, f, g, h, k) \
84 h += S1(e) + Ch(e, f, g) + k; \
85 d += h; \
86 h += S0(a) + Maj(a, b, c);
87
88 #define RNDr(S, W, i, ii) \
89 RND(S[(64 - i) % 8], S[(65 - i) % 8], S[(66 - i) % 8], S[(67 - i) % 8], \
90 S[(68 - i) % 8], S[(69 - i) % 8], S[(70 - i) % 8], S[(71 - i) % 8], \
91 W[i + ii] + Krnd[i + ii])
92
93 #define MSCH(W, ii, i) \
94 W[i + ii + 16] = \
95 s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii]
96
97 static void
SHA256_Transform(uint32_t state[8],const uint8_t block[64],uint32_t W[64],uint32_t S[8])98 SHA256_Transform(uint32_t state[8], const uint8_t block[64], uint32_t W[64],
99 uint32_t S[8])
100 {
101 int i;
102
103 be32dec_vect(W, block, 64);
104 memcpy(S, state, 32);
105 for (i = 0; i < 64; i += 16) {
106 RNDr(S, W, 0, i);
107 RNDr(S, W, 1, i);
108 RNDr(S, W, 2, i);
109 RNDr(S, W, 3, i);
110 RNDr(S, W, 4, i);
111 RNDr(S, W, 5, i);
112 RNDr(S, W, 6, i);
113 RNDr(S, W, 7, i);
114 RNDr(S, W, 8, i);
115 RNDr(S, W, 9, i);
116 RNDr(S, W, 10, i);
117 RNDr(S, W, 11, i);
118 RNDr(S, W, 12, i);
119 RNDr(S, W, 13, i);
120 RNDr(S, W, 14, i);
121 RNDr(S, W, 15, i);
122 if (i == 48) {
123 break;
124 }
125 MSCH(W, 0, i);
126 MSCH(W, 1, i);
127 MSCH(W, 2, i);
128 MSCH(W, 3, i);
129 MSCH(W, 4, i);
130 MSCH(W, 5, i);
131 MSCH(W, 6, i);
132 MSCH(W, 7, i);
133 MSCH(W, 8, i);
134 MSCH(W, 9, i);
135 MSCH(W, 10, i);
136 MSCH(W, 11, i);
137 MSCH(W, 12, i);
138 MSCH(W, 13, i);
139 MSCH(W, 14, i);
140 MSCH(W, 15, i);
141 }
142 for (i = 0; i < 8; i++) {
143 state[i] += S[i];
144 }
145 }
146
147 static const uint8_t PAD[64] = { 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
148 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
149 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
150 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
151 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
152
153 static void
SHA256_Pad(crypto_hash_sha256_state * state,uint32_t tmp32[64+8])154 SHA256_Pad(crypto_hash_sha256_state *state, uint32_t tmp32[64 + 8])
155 {
156 unsigned int r;
157 unsigned int i;
158
159 r = (unsigned int) ((state->count >> 3) & 0x3f);
160 if (r < 56) {
161 for (i = 0; i < 56 - r; i++) {
162 state->buf[r + i] = PAD[i];
163 }
164 } else {
165 for (i = 0; i < 64 - r; i++) {
166 state->buf[r + i] = PAD[i];
167 }
168 SHA256_Transform(state->state, state->buf, &tmp32[0], &tmp32[64]);
169 memset(&state->buf[0], 0, 56);
170 }
171 STORE64_BE(&state->buf[56], state->count);
172 SHA256_Transform(state->state, state->buf, &tmp32[0], &tmp32[64]);
173 }
174
175 int
crypto_hash_sha256_init(crypto_hash_sha256_state * state)176 crypto_hash_sha256_init(crypto_hash_sha256_state *state)
177 {
178 static const uint32_t sha256_initial_state[8] = { 0x6a09e667, 0xbb67ae85,
179 0x3c6ef372, 0xa54ff53a,
180 0x510e527f, 0x9b05688c,
181 0x1f83d9ab, 0x5be0cd19 };
182
183 state->count = (uint64_t) 0U;
184 memcpy(state->state, sha256_initial_state, sizeof sha256_initial_state);
185
186 return 0;
187 }
188
189 int
crypto_hash_sha256_update(crypto_hash_sha256_state * state,const unsigned char * in,unsigned long long inlen)190 crypto_hash_sha256_update(crypto_hash_sha256_state *state,
191 const unsigned char *in, unsigned long long inlen)
192 {
193 uint32_t tmp32[64 + 8];
194 unsigned long long i;
195 unsigned long long r;
196
197 if (inlen <= 0U) {
198 return 0;
199 }
200 r = (unsigned long long) ((state->count >> 3) & 0x3f);
201
202 state->count += ((uint64_t) inlen) << 3;
203 if (inlen < 64 - r) {
204 for (i = 0; i < inlen; i++) {
205 state->buf[r + i] = in[i];
206 }
207 return 0;
208 }
209 for (i = 0; i < 64 - r; i++) {
210 state->buf[r + i] = in[i];
211 }
212 SHA256_Transform(state->state, state->buf, &tmp32[0], &tmp32[64]);
213 in += 64 - r;
214 inlen -= 64 - r;
215
216 while (inlen >= 64) {
217 SHA256_Transform(state->state, in, &tmp32[0], &tmp32[64]);
218 in += 64;
219 inlen -= 64;
220 }
221 inlen &= 63;
222 for (i = 0; i < inlen; i++) {
223 state->buf[i] = in[i];
224 }
225 sodium_memzero((void *) tmp32, sizeof tmp32);
226
227 return 0;
228 }
229
230 int
crypto_hash_sha256_final(crypto_hash_sha256_state * state,unsigned char * out)231 crypto_hash_sha256_final(crypto_hash_sha256_state *state, unsigned char *out)
232 {
233 uint32_t tmp32[64 + 8];
234
235 SHA256_Pad(state, tmp32);
236 be32enc_vect(out, state->state, 32);
237 sodium_memzero((void *) tmp32, sizeof tmp32);
238 sodium_memzero((void *) state, sizeof *state);
239
240 return 0;
241 }
242
243 int
crypto_hash_sha256(unsigned char * out,const unsigned char * in,unsigned long long inlen)244 crypto_hash_sha256(unsigned char *out, const unsigned char *in,
245 unsigned long long inlen)
246 {
247 crypto_hash_sha256_state state;
248
249 crypto_hash_sha256_init(&state);
250 crypto_hash_sha256_update(&state, in, inlen);
251 crypto_hash_sha256_final(&state, out);
252
253 return 0;
254 }
255