1 /*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
4 * Copyright (C) 2001-2003 Christophe Devine
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 */
20
21 #include <string.h>
22
23 #include "sha256.h"
24
25 #define GET_uint32_t(n,b,i) \
26 { \
27 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
28 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
29 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
30 | ( (uint32_t) (b)[(i) + 3] ); \
31 }
32
33 #define PUT_uint32_t(n,b,i) \
34 { \
35 (b)[(i) ] = (uint8_t) ( (n) >> 24 ); \
36 (b)[(i) + 1] = (uint8_t) ( (n) >> 16 ); \
37 (b)[(i) + 2] = (uint8_t) ( (n) >> 8 ); \
38 (b)[(i) + 3] = (uint8_t) ( (n) ); \
39 }
40
sha256_starts(sha256_context * ctx)41 void sha256_starts( sha256_context *ctx )
42 {
43 ctx->total[0] = 0;
44 ctx->total[1] = 0;
45
46 ctx->state[0] = 0x6A09E667;
47 ctx->state[1] = 0xBB67AE85;
48 ctx->state[2] = 0x3C6EF372;
49 ctx->state[3] = 0xA54FF53A;
50 ctx->state[4] = 0x510E527F;
51 ctx->state[5] = 0x9B05688C;
52 ctx->state[6] = 0x1F83D9AB;
53 ctx->state[7] = 0x5BE0CD19;
54 }
55
sha256_process(sha256_context * ctx,const uint8_t data[64])56 void sha256_process( sha256_context *ctx, const uint8_t data[64] )
57 {
58 uint32_t temp1, temp2, W[64];
59 uint32_t A, B, C, D, E, F, G, H;
60
61 GET_uint32_t( W[0], data, 0 );
62 GET_uint32_t( W[1], data, 4 );
63 GET_uint32_t( W[2], data, 8 );
64 GET_uint32_t( W[3], data, 12 );
65 GET_uint32_t( W[4], data, 16 );
66 GET_uint32_t( W[5], data, 20 );
67 GET_uint32_t( W[6], data, 24 );
68 GET_uint32_t( W[7], data, 28 );
69 GET_uint32_t( W[8], data, 32 );
70 GET_uint32_t( W[9], data, 36 );
71 GET_uint32_t( W[10], data, 40 );
72 GET_uint32_t( W[11], data, 44 );
73 GET_uint32_t( W[12], data, 48 );
74 GET_uint32_t( W[13], data, 52 );
75 GET_uint32_t( W[14], data, 56 );
76 GET_uint32_t( W[15], data, 60 );
77
78 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
79 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
80
81 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
82 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
83
84 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
85 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
86
87 #define F0(x,y,z) ((x & y) | (z & (x | y)))
88 #define F1(x,y,z) (z ^ (x & (y ^ z)))
89
90 #define R(t) \
91 ( \
92 W[t] = S1(W[t - 2]) + W[t - 7] + \
93 S0(W[t - 15]) + W[t - 16] \
94 )
95
96 #define P(a,b,c,d,e,f,g,h,x,K) \
97 { \
98 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
99 temp2 = S2(a) + F0(a,b,c); \
100 d += temp1; h = temp1 + temp2; \
101 }
102
103 A = ctx->state[0];
104 B = ctx->state[1];
105 C = ctx->state[2];
106 D = ctx->state[3];
107 E = ctx->state[4];
108 F = ctx->state[5];
109 G = ctx->state[6];
110 H = ctx->state[7];
111
112 P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98 );
113 P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491 );
114 P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF );
115 P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5 );
116 P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B );
117 P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1 );
118 P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4 );
119 P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5 );
120 P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98 );
121 P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01 );
122 P( G, H, A, B, C, D, E, F, W[10], 0x243185BE );
123 P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3 );
124 P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74 );
125 P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE );
126 P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7 );
127 P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174 );
128 P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1 );
129 P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786 );
130 P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6 );
131 P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC );
132 P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F );
133 P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA );
134 P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC );
135 P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA );
136 P( A, B, C, D, E, F, G, H, R(24), 0x983E5152 );
137 P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D );
138 P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8 );
139 P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7 );
140 P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3 );
141 P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147 );
142 P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351 );
143 P( B, C, D, E, F, G, H, A, R(31), 0x14292967 );
144 P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85 );
145 P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138 );
146 P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC );
147 P( F, G, H, A, B, C, D, E, R(35), 0x53380D13 );
148 P( E, F, G, H, A, B, C, D, R(36), 0x650A7354 );
149 P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB );
150 P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E );
151 P( B, C, D, E, F, G, H, A, R(39), 0x92722C85 );
152 P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1 );
153 P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B );
154 P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70 );
155 P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3 );
156 P( E, F, G, H, A, B, C, D, R(44), 0xD192E819 );
157 P( D, E, F, G, H, A, B, C, R(45), 0xD6990624 );
158 P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585 );
159 P( B, C, D, E, F, G, H, A, R(47), 0x106AA070 );
160 P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116 );
161 P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08 );
162 P( G, H, A, B, C, D, E, F, R(50), 0x2748774C );
163 P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5 );
164 P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3 );
165 P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A );
166 P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F );
167 P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3 );
168 P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE );
169 P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F );
170 P( G, H, A, B, C, D, E, F, R(58), 0x84C87814 );
171 P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208 );
172 P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA );
173 P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB );
174 P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7 );
175 P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2 );
176
177 ctx->state[0] += A;
178 ctx->state[1] += B;
179 ctx->state[2] += C;
180 ctx->state[3] += D;
181 ctx->state[4] += E;
182 ctx->state[5] += F;
183 ctx->state[6] += G;
184 ctx->state[7] += H;
185 }
186
sha256_update(sha256_context * ctx,const uint8_t * input,uint32_t length)187 void sha256_update( sha256_context *ctx, const uint8_t *input, uint32_t length )
188 {
189 uint32_t left, fill;
190
191 if( ! length ) return;
192
193 left = ctx->total[0] & 0x3F;
194 fill = 64 - left;
195
196 ctx->total[0] += length;
197 ctx->total[0] &= 0xFFFFFFFF;
198
199 if( ctx->total[0] < length )
200 ctx->total[1]++;
201
202 if( left && length >= fill )
203 {
204 memcpy( (void *) (ctx->buffer + left),
205 (void *) input, fill );
206 sha256_process( ctx, ctx->buffer );
207 length -= fill;
208 input += fill;
209 left = 0;
210 }
211
212 while( length >= 64 )
213 {
214 sha256_process( ctx, input );
215 length -= 64;
216 input += 64;
217 }
218
219 if( length )
220 {
221 memcpy( (void *) (ctx->buffer + left),
222 (void *) input, length );
223 }
224 }
225
226 static const uint8_t sha256_padding[64] =
227 {
228 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
229 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
230 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
231 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
232 };
233
sha256_finish(sha256_context * ctx,uint8_t digest[32])234 void sha256_finish( sha256_context *ctx, uint8_t digest[32] )
235 {
236 uint32_t last, padn;
237 uint32_t high, low;
238 uint8_t msglen[8];
239
240 high = ( ctx->total[0] >> 29 )
241 | ( ctx->total[1] << 3 );
242 low = ( ctx->total[0] << 3 );
243
244 PUT_uint32_t( high, msglen, 0 );
245 PUT_uint32_t( low, msglen, 4 );
246
247 last = ctx->total[0] & 0x3F;
248 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
249
250 sha256_update( ctx, sha256_padding, padn );
251 sha256_update( ctx, msglen, 8 );
252
253 PUT_uint32_t( ctx->state[0], digest, 0 );
254 PUT_uint32_t( ctx->state[1], digest, 4 );
255 PUT_uint32_t( ctx->state[2], digest, 8 );
256 PUT_uint32_t( ctx->state[3], digest, 12 );
257 PUT_uint32_t( ctx->state[4], digest, 16 );
258 PUT_uint32_t( ctx->state[5], digest, 20 );
259 PUT_uint32_t( ctx->state[6], digest, 24 );
260 PUT_uint32_t( ctx->state[7], digest, 28 );
261 }
262
263