1 /*
2 * SHA2-256 implementation based on FIPS180-2.
3 *
4 * Copyright (c) 2009 Marko Kreen
5 *
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #include <usual/crypto/sha256.h>
20 #include <usual/crypto/digest.h>
21
22 #include <usual/endian.h>
23 #include <usual/bits.h>
24
25 /* repeat with increasing offset */
26 #define R4(R, t) R(t+0); R(t+1); R(t+2); R(t+3)
27 #define R16(R, t) R4(R, t+0); R4(R, t+4); R4(R, t+8); R4(R, t+12)
28 #define R64(R, t) R16(R, t+0); R16(R, t+16); R16(R, t+32); R16(R, t+48);
29
30 #define bufpos(ctx) ((ctx)->nbytes & (SHA256_BLOCK_SIZE - 1))
31
32 /*
33 * initial values
34 */
35
36 static const uint32_t H224[8] = {
37 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
38 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4,
39 };
40
41 static const uint32_t H256[8] = {
42 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
43 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19,
44 };
45
46 /*
47 * constants for mixing
48 */
49
50 static const uint32_t K[64] = {
51 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
52 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
53 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
54 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
55 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
56 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
57 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
58 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
59 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
60 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
61 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,
62 };
63
64 /*
65 * mixing
66 */
67
68 #define CH(x,y,z) ((x & y) ^ ((~x) & z))
69 #define MAJ(x,y,z) ((x & y) ^ (x & z) ^ (y & z))
70
71 #define E0(x) (ror32(x, 2) ^ ror32(x, 13) ^ ror32(x, 22))
72 #define E1(x) (ror32(x, 6) ^ ror32(x, 11) ^ ror32(x, 25))
73 #define O0(x) (ror32(x, 7) ^ ror32(x, 18) ^ (x >> 3))
74 #define O1(x) (ror32(x, 17) ^ ror32(x, 19) ^ (x >> 10))
75
76 #define W(n) (ctx->buf.words[(n) & 15])
77 #define setW(n,v) W(n) = (v)
78
79 #define SHA256_ROUND(_t) do { \
80 uint32_t tmp1, tmp2, t = (_t); \
81 if (t >= 16) { \
82 setW(t, O1(W(t - 2)) + W(t - 7) + O0(W(t - 15)) + W(t - 16)); \
83 } else { \
84 /* convert endianess on first go */ \
85 setW(t, be32toh(W(t))); \
86 } \
87 tmp1 = h + E1(e) + CH(e,f,g) + K[k_pos++] + W(t); \
88 tmp2 = E0(a) + MAJ(a,b,c); \
89 h = g; g = f; f = e; e = d + tmp1; d = c; c = b; b = a; a = tmp1 + tmp2; \
90 } while (0)
91
92 /*
93 * actual core
94 */
95
sha256_core(struct sha256_ctx * ctx)96 static void sha256_core(struct sha256_ctx *ctx)
97 {
98 uint32_t *state = ctx->state;
99 uint32_t a = state[0], b = state[1], c = state[2], d = state[3];
100 uint32_t e = state[4], f = state[5], g = state[6], h = state[7];
101 unsigned k_pos = 0;
102
103 R16(SHA256_ROUND, 0);
104 while (k_pos < 64) {
105 R16(SHA256_ROUND, 16);
106 }
107
108 state[0] += a;
109 state[1] += b;
110 state[2] += c;
111 state[3] += d;
112 state[4] += e;
113 state[5] += f;
114 state[6] += g;
115 state[7] += h;
116 }
117
118 /*
119 * Public API for SHA256.
120 */
121
sha256_reset(struct sha256_ctx * ctx)122 void sha256_reset(struct sha256_ctx *ctx)
123 {
124 memset(ctx, 0, sizeof(*ctx));
125 memcpy(ctx->state, H256, sizeof(H256));
126 }
127
sha256_update(struct sha256_ctx * ctx,const void * data,unsigned int len)128 void sha256_update(struct sha256_ctx *ctx, const void *data, unsigned int len)
129 {
130 unsigned int n;
131 const uint8_t *src = data;
132 uint8_t *dst = ctx->buf.raw;
133
134 while (len > 0) {
135 n = SHA256_BLOCK_SIZE - bufpos(ctx);
136 if (n > len)
137 n = len;
138
139 memcpy(dst + bufpos(ctx), src, n);
140 src += n;
141 len -= n;
142 ctx->nbytes += n;
143
144 if (bufpos(ctx) == 0)
145 sha256_core(ctx);
146 }
147 }
148
sha256_final(struct sha256_ctx * ctx,uint8_t * dst)149 void sha256_final(struct sha256_ctx *ctx, uint8_t *dst)
150 {
151 static const uint8_t padding[SHA256_BLOCK_SIZE] = { 0x80 };
152 uint64_t nbits = ctx->nbytes * 8;
153 int pad_len, pos = bufpos(ctx);
154 int i;
155
156 /* add padding */
157 pad_len = SHA256_BLOCK_SIZE - 8 - pos;
158 if (pad_len <= 0)
159 pad_len += SHA256_BLOCK_SIZE;
160 sha256_update(ctx, padding, pad_len);
161
162 /* add length */
163 ctx->buf.words[14] = htobe32(nbits >> 32);
164 ctx->buf.words[15] = htobe32(nbits);
165
166 /* final result */
167 sha256_core(ctx);
168 for (i = 0; i < SHA256_DIGEST_LENGTH / 4; i++)
169 be32enc(dst + i*4, ctx->state[i]);
170 }
171
172 /*
173 * Public API for SHA224.
174 */
175
sha224_reset(struct sha256_ctx * ctx)176 void sha224_reset(struct sha256_ctx *ctx)
177 {
178 memset(ctx, 0, sizeof(*ctx));
179 memcpy(ctx->state, H224, sizeof(H224));
180 }
181
sha224_update(struct sha256_ctx * ctx,const void * data,unsigned int len)182 void sha224_update(struct sha256_ctx *ctx, const void *data, unsigned int len)
183 {
184 sha256_update(ctx, data, len);
185 }
186
sha224_final(struct sha256_ctx * ctx,uint8_t * dst)187 void sha224_final(struct sha256_ctx *ctx, uint8_t *dst)
188 {
189 uint8_t buf[SHA256_DIGEST_LENGTH];
190 sha256_final(ctx, buf);
191 memcpy(dst, buf, SHA224_DIGEST_LENGTH);
192 memset(buf, 0, sizeof(buf));
193 }
194
195 /*
196 * DigestInfo
197 */
198
digest_SHA224(void)199 const struct DigestInfo *digest_SHA224(void)
200 {
201 static const struct DigestInfo info = {
202 (DigestInitFunc *)sha224_reset,
203 (DigestUpdateFunc *)sha224_update,
204 (DigestFinalFunc *)sha224_final,
205 sizeof(struct sha256_ctx),
206 SHA224_DIGEST_LENGTH,
207 SHA224_BLOCK_SIZE
208 };
209 return &info;
210 }
211
digest_SHA256(void)212 const struct DigestInfo *digest_SHA256(void)
213 {
214 static const struct DigestInfo info = {
215 (DigestInitFunc *)sha256_reset,
216 (DigestUpdateFunc *)sha256_update,
217 (DigestFinalFunc *)sha256_final,
218 sizeof(struct sha256_ctx),
219 SHA256_DIGEST_LENGTH,
220 SHA256_BLOCK_SIZE
221 };
222 return &info;
223 }
224