1 /*-
2 * Copyright (c) 2001, 2002 Allan Saddi <allan@saddi.com>
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 *
26 * $Id: sha256.c,v 1.3 2007/03/25 11:33:41 patthoyts Exp $
27 */
28
29 /*
30 * Define WORDS_BIGENDIAN if compiling on a big-endian architecture.
31 *
32 * Define SHA256_TEST to test the implementation using the NIST's
33 * sample messages. The output should be:
34 *
35 * ba7816bf 8f01cfea 414140de 5dae2223 b00361a3 96177a9c b410ff61 f20015ad
36 * 248d6a61 d20638b8 e5c02693 0c3e6039 a33ce459 64ff2167 f6ecedd4 19db06c1
37 * cdc76e5c 9914fb92 81a1c7e2 84d73e67 f1809a48 a497200e 046d39cc c7112cd0
38 */
39
40 #ifdef HAVE_CONFIG_H
41 #include <config.h>
42 #endif /* HAVE_CONFIG_H */
43
44 #if HAVE_INTTYPES_H
45 # include <inttypes.h>
46 #else
47 # if HAVE_STDINT_H
48 # include <stdint.h>
49 # endif
50 #endif
51
52 #include <string.h>
53 #include <stdlib.h>
54
55 #include "sha256.h"
56
57 #ifndef lint
58 static const char rcsid[] =
59 "$Id: sha256.c,v 1.3 2007/03/25 11:33:41 patthoyts Exp $";
60 #endif /* !lint */
61
62 #ifndef TCL_BYTE_ORDER
63 #error "-DTCL_BYTE_ORDER missing"
64 #endif
65
66 #if TCL_BYTE_ORDER==1234
67 #else
68 #define WORDS_BIGENDIAN
69 #endif
70
71
72 #define ROTL(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
73 #define ROTR(x, n) (((x) >> (n)) | ((x) << (32 - (n))))
74
75 #define Ch(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
76 #define Maj(x, y, z) (((x) & ((y) | (z))) | ((y) & (z)))
77 #define SIGMA0(x) (ROTR((x), 2) ^ ROTR((x), 13) ^ ROTR((x), 22))
78 #define SIGMA1(x) (ROTR((x), 6) ^ ROTR((x), 11) ^ ROTR((x), 25))
79 #define sigma0(x) (ROTR((x), 7) ^ ROTR((x), 18) ^ ((x) >> 3))
80 #define sigma1(x) (ROTR((x), 17) ^ ROTR((x), 19) ^ ((x) >> 10))
81
82 #define DO_ROUND() { \
83 t1 = h + SIGMA1(e) + Ch(e, f, g) + *(Kp++) + *(W++); \
84 t2 = SIGMA0(a) + Maj(a, b, c); \
85 h = g; \
86 g = f; \
87 f = e; \
88 e = d + t1; \
89 d = c; \
90 c = b; \
91 b = a; \
92 a = t1 + t2; \
93 }
94
95 static const uint32_t K[64] = {
96 0x428a2f98L, 0x71374491L, 0xb5c0fbcfL, 0xe9b5dba5L,
97 0x3956c25bL, 0x59f111f1L, 0x923f82a4L, 0xab1c5ed5L,
98 0xd807aa98L, 0x12835b01L, 0x243185beL, 0x550c7dc3L,
99 0x72be5d74L, 0x80deb1feL, 0x9bdc06a7L, 0xc19bf174L,
100 0xe49b69c1L, 0xefbe4786L, 0x0fc19dc6L, 0x240ca1ccL,
101 0x2de92c6fL, 0x4a7484aaL, 0x5cb0a9dcL, 0x76f988daL,
102 0x983e5152L, 0xa831c66dL, 0xb00327c8L, 0xbf597fc7L,
103 0xc6e00bf3L, 0xd5a79147L, 0x06ca6351L, 0x14292967L,
104 0x27b70a85L, 0x2e1b2138L, 0x4d2c6dfcL, 0x53380d13L,
105 0x650a7354L, 0x766a0abbL, 0x81c2c92eL, 0x92722c85L,
106 0xa2bfe8a1L, 0xa81a664bL, 0xc24b8b70L, 0xc76c51a3L,
107 0xd192e819L, 0xd6990624L, 0xf40e3585L, 0x106aa070L,
108 0x19a4c116L, 0x1e376c08L, 0x2748774cL, 0x34b0bcb5L,
109 0x391c0cb3L, 0x4ed8aa4aL, 0x5b9cca4fL, 0x682e6ff3L,
110 0x748f82eeL, 0x78a5636fL, 0x84c87814L, 0x8cc70208L,
111 0x90befffaL, 0xa4506cebL, 0xbef9a3f7L, 0xc67178f2L
112 };
113
114 #ifndef RUNTIME_ENDIAN
115 #ifdef WORDS_BIGENDIAN
116
117 #define BYTESWAP(x) (x)
118 #define BYTESWAP64(x) (x)
119
120 #else /* !WORDS_BIGENDIAN */
121
122 #define BYTESWAP(x) ((ROTR((x), 8) & 0xff00ff00L) | \
123 (ROTL((x), 8) & 0x00ff00ffL))
124
125 #define BYTESWAP64(x) _byteswap64(x)
126
127 static
128 #ifndef _MSC_VER
129 inline
130 #endif
_byteswap64(uint64_t x)131 uint64_t _byteswap64(uint64_t x)
132 {
133 uint32_t a = x >> 32;
134 uint32_t b = (uint32_t) x;
135 return ((uint64_t) BYTESWAP(b) << 32) | (uint64_t) BYTESWAP(a);
136 }
137
138 #endif /* WORDS_BIGENDIAN */
139 #else /* !RUNTIME_ENDIAN */
140
141 static int littleEndian;
142
143 #define BYTESWAP(x) _byteswap(x)
144 #define BYTESWAP64(x) _byteswap64(x)
145
146 #define _BYTESWAP(x) ((ROTR((x), 8) & 0xff00ff00L) | \
147 (ROTL((x), 8) & 0x00ff00ffL))
148 #define _BYTESWAP64(x) __byteswap64(x)
149
__byteswap64(uint64_t x)150 static inline uint64_t __byteswap64(uint64_t x)
151 {
152 uint32_t a = x >> 32;
153 uint32_t b = (uint32_t) x;
154 return ((uint64_t) _BYTESWAP(b) << 32) | (uint64_t) _BYTESWAP(a);
155 }
156
_byteswap(uint32_t x)157 static inline uint32_t _byteswap(uint32_t x)
158 {
159 if (!littleEndian)
160 return x;
161 else
162 return _BYTESWAP(x);
163 }
164
_byteswap64(uint64_t x)165 static inline uint64_t _byteswap64(uint64_t x)
166 {
167 if (!littleEndian)
168 return x;
169 else
170 return _BYTESWAP64(x);
171 }
172
setEndian(void)173 static inline void setEndian(void)
174 {
175 union {
176 uint32_t w;
177 uint8_t b[4];
178 } endian;
179
180 endian.w = 1L;
181 littleEndian = endian.b[0] != 0;
182 }
183
184 #endif /* !RUNTIME_ENDIAN */
185
186 static const uint8_t padding[64] = {
187 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
188 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
189 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
190 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
191 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
192 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
193 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
194 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
195 };
196
197 void
SHA256Init(SHA256Context * sc)198 SHA256Init (SHA256Context *sc)
199 {
200 #ifdef RUNTIME_ENDIAN
201 setEndian ();
202 #endif /* RUNTIME_ENDIAN */
203
204 sc->totalLength = 0;
205 sc->hash[0] = 0x6a09e667;
206 sc->hash[1] = 0xbb67ae85;
207 sc->hash[2] = 0x3c6ef372;
208 sc->hash[3] = 0xa54ff53a;
209 sc->hash[4] = 0x510e527f;
210 sc->hash[5] = 0x9b05688c;
211 sc->hash[6] = 0x1f83d9ab;
212 sc->hash[7] = 0x5be0cd19;
213 sc->bufferLength = 0;
214 }
215
216 void
SHA224Init(SHA256Context * sc)217 SHA224Init (SHA256Context *sc)
218 {
219 #ifdef RUNTIME_ENDIAN
220 setEndian ();
221 #endif /* RUNTIME_ENDIAN */
222
223 sc->totalLength = 0;
224 sc->hash[0] = 0xc1059ed8;
225 sc->hash[1] = 0x367cd507;
226 sc->hash[2] = 0x3070dd17;
227 sc->hash[3] = 0xf70e5939;
228 sc->hash[4] = 0xffc00b31;
229 sc->hash[5] = 0x68581511;
230 sc->hash[6] = 0x64f98fa7;
231 sc->hash[7] = 0xbefa4fa4;
232 sc->bufferLength = 0;
233 }
234
235 static void
burnStack(int size)236 burnStack (int size)
237 {
238 char buf[128];
239
240 memset (buf, 0, sizeof (buf));
241 size -= sizeof (buf);
242 if (size > 0)
243 burnStack (size);
244 }
245
246 static void
SHA256Guts(SHA256Context * sc,const uint32_t * cbuf)247 SHA256Guts (SHA256Context *sc, const uint32_t *cbuf)
248 {
249 uint32_t buf[64];
250 uint32_t *W, *W2, *W7, *W15, *W16;
251 uint32_t a, b, c, d, e, f, g, h;
252 uint32_t t1, t2;
253 const uint32_t *Kp;
254 int i;
255
256 W = buf;
257
258 for (i = 15; i >= 0; i--) {
259 *(W++) = BYTESWAP(*cbuf);
260 cbuf++;
261 }
262
263 W16 = &buf[0];
264 W15 = &buf[1];
265 W7 = &buf[9];
266 W2 = &buf[14];
267
268 for (i = 47; i >= 0; i--) {
269 *(W++) = sigma1(*W2) + *(W7++) + sigma0(*W15) + *(W16++);
270 W2++;
271 W15++;
272 }
273
274 a = sc->hash[0];
275 b = sc->hash[1];
276 c = sc->hash[2];
277 d = sc->hash[3];
278 e = sc->hash[4];
279 f = sc->hash[5];
280 g = sc->hash[6];
281 h = sc->hash[7];
282
283 Kp = K;
284 W = buf;
285
286 #ifndef SHA256_UNROLL
287 #define SHA256_UNROLL 1
288 #endif /* !SHA256_UNROLL */
289
290 #if SHA256_UNROLL == 1
291 for (i = 63; i >= 0; i--)
292 DO_ROUND();
293 #elif SHA256_UNROLL == 2
294 for (i = 31; i >= 0; i--) {
295 DO_ROUND(); DO_ROUND();
296 }
297 #elif SHA256_UNROLL == 4
298 for (i = 15; i >= 0; i--) {
299 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
300 }
301 #elif SHA256_UNROLL == 8
302 for (i = 7; i >= 0; i--) {
303 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
304 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
305 }
306 #elif SHA256_UNROLL == 16
307 for (i = 3; i >= 0; i--) {
308 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
309 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
310 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
311 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
312 }
313 #elif SHA256_UNROLL == 32
314 for (i = 1; i >= 0; i--) {
315 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
316 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
317 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
318 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
319 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
320 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
321 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
322 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
323 }
324 #elif SHA256_UNROLL == 64
325 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
326 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
327 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
328 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
329 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
330 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
331 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
332 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
333 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
334 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
335 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
336 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
337 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
338 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
339 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
340 DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
341 #else
342 #error "SHA256_UNROLL must be 1, 2, 4, 8, 16, 32, or 64!"
343 #endif
344
345 sc->hash[0] += a;
346 sc->hash[1] += b;
347 sc->hash[2] += c;
348 sc->hash[3] += d;
349 sc->hash[4] += e;
350 sc->hash[5] += f;
351 sc->hash[6] += g;
352 sc->hash[7] += h;
353 }
354
355 void
SHA256Update(SHA256Context * sc,const void * data,uint32_t len)356 SHA256Update (SHA256Context *sc, const void *data, uint32_t len)
357 {
358 uint32_t bufferBytesLeft;
359 uint32_t bytesToCopy;
360 int needBurn = 0;
361
362 /* gcc 4 complains that the following construction has an invalid lvalue:
363 * ((uint8_t *) data) += bytesToCopy;
364 * apparently they have decided that assigment to cast values is a bad idea
365 * so we have to do the cast now as a work around -- assholes.
366 */
367 uint8_t *dataPtr = (uint8_t *)data;
368
369 #ifdef SHA256_FAST_COPY
370 if (sc->bufferLength) {
371 bufferBytesLeft = 64L - sc->bufferLength;
372
373 bytesToCopy = bufferBytesLeft;
374 if (bytesToCopy > len)
375 bytesToCopy = len;
376
377 memcpy (&sc->buffer.bytes[sc->bufferLength], dataPtr, bytesToCopy);
378
379 sc->totalLength += bytesToCopy * 8L;
380
381 sc->bufferLength += bytesToCopy;
382 dataPtr += bytesToCopy;
383 len -= bytesToCopy;
384
385 if (sc->bufferLength == 64L) {
386 SHA256Guts (sc, sc->buffer.words);
387 needBurn = 1;
388 sc->bufferLength = 0L;
389 }
390 }
391
392 while (len > 63L) {
393 sc->totalLength += 512L;
394
395 SHA256Guts (sc, dataPtr);
396 needBurn = 1;
397
398 dataPtr += 64L;
399 len -= 64L;
400 }
401
402 if (len) {
403 memcpy (&sc->buffer.bytes[sc->bufferLength], dataPtr, len);
404
405 sc->totalLength += len * 8L;
406
407 sc->bufferLength += len;
408 }
409 #else /* SHA256_FAST_COPY */
410 while (len) {
411 bufferBytesLeft = 64L - sc->bufferLength;
412
413 bytesToCopy = bufferBytesLeft;
414 if (bytesToCopy > len)
415 bytesToCopy = len;
416
417 memcpy (&sc->buffer.bytes[sc->bufferLength], dataPtr, bytesToCopy);
418
419 sc->totalLength += bytesToCopy * 8L;
420
421 sc->bufferLength += bytesToCopy;
422
423 dataPtr += bytesToCopy;
424 len -= bytesToCopy;
425
426 if (sc->bufferLength == 64L) {
427 SHA256Guts (sc, sc->buffer.words);
428 needBurn = 1;
429 sc->bufferLength = 0L;
430 }
431 }
432 #endif /* SHA256_FAST_COPY */
433
434 if (needBurn)
435 burnStack (sizeof (uint32_t[74]) + sizeof (uint32_t *[6]) + sizeof (int));
436 }
437
438 void
SHA256Final(SHA256Context * sc,uint8_t hash[SHA256_HASH_SIZE])439 SHA256Final (
440 SHA256Context *sc, uint8_t hash[SHA256_HASH_SIZE])
441 {
442 uint32_t bytesToPad;
443 uint64_t lengthPad;
444 int i;
445
446 bytesToPad = 120L - sc->bufferLength;
447 if (bytesToPad > 64L)
448 bytesToPad -= 64L;
449
450 lengthPad = BYTESWAP64(sc->totalLength);
451
452 SHA256Update (sc, padding, bytesToPad);
453 SHA256Update (sc, &lengthPad, 8L);
454
455 if (hash) {
456 for (i = 0; i < SHA256_HASH_WORDS; i++) {
457 #ifdef SHA256_FAST_COPY
458 *((uint32_t *) hash) = BYTESWAP(sc->hash[i]);
459 #else /* SHA256_FAST_COPY */
460 hash[0] = (uint8_t) (sc->hash[i] >> 24);
461 hash[1] = (uint8_t) (sc->hash[i] >> 16);
462 hash[2] = (uint8_t) (sc->hash[i] >> 8);
463 hash[3] = (uint8_t) sc->hash[i];
464 #endif /* SHA256_FAST_COPY */
465 hash += 4;
466 }
467 }
468 }
469
470 #ifdef SHA256_TEST
471
472 #include <stdio.h>
473 #include <stdlib.h>
474 #include <string.h>
475
476 int
main(int argc,char * argv[])477 main (int argc, char *argv[])
478 {
479 SHA256Context foo;
480 uint8_t hash[SHA256_HASH_SIZE];
481 char buf[1000];
482 int i;
483
484 SHA256Init (&foo);
485 SHA256Update (&foo, "abc", 3);
486 SHA256Final (&foo, hash);
487
488 for (i = 0; i < SHA256_HASH_SIZE;) {
489 printf ("%02x", hash[i++]);
490 if (!(i % 4))
491 printf (" ");
492 }
493 printf ("\n");
494
495 SHA256Init (&foo);
496 SHA256Update (&foo,
497 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
498 56);
499 SHA256Final (&foo, hash);
500
501 for (i = 0; i < SHA256_HASH_SIZE;) {
502 printf ("%02x", hash[i++]);
503 if (!(i % 4))
504 printf (" ");
505 }
506 printf ("\n");
507
508 SHA256Init (&foo);
509 memset (buf, 'a', sizeof (buf));
510 for (i = 0; i < 1000; i++)
511 SHA256Update (&foo, buf, sizeof (buf));
512 SHA256Final (&foo, hash);
513
514 for (i = 0; i < SHA256_HASH_SIZE;) {
515 printf ("%02x", hash[i++]);
516 if (!(i % 4))
517 printf (" ");
518 }
519 printf ("\n");
520
521 exit (0);
522 }
523
524 #endif /* SHA256_TEST */
525