1 /************************* sha224-256.c ************************/
2 /***************** See RFC 6234 for details. *******************/
3 /* Copyright (c) 2011 IETF Trust and the persons identified as */
4 /* authors of the code. All rights reserved. */
5 /* See sha.h for terms of use and redistribution. */
6
7 /*
8 * Description:
9 * This file implements the Secure Hash Algorithms SHA-224 and
10 * SHA-256 as defined in the U.S. National Institute of Standards
11 * and Technology Federal Information Processing Standards
12 * Publication (FIPS PUB) 180-3 published in October 2008
13 * and formerly defined in its predecessors, FIPS PUB 180-1
14 * and FIP PUB 180-2.
15 *
16 * A combined document showing all algorithms is available at
17 * http://csrc.nist.gov/publications/fips/
18 * fips180-3/fips180-3_final.pdf
19 *
20 * The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit
21 * message digests for a given data stream. It should take about
22 * 2**n steps to find a message with the same digest as a given
23 * message and 2**(n/2) to find any two messages with the same
24 * digest, when n is the digest size in bits. Therefore, this
25 * algorithm can serve as a means of providing a
26 * "fingerprint" for a message.
27 *
28 * Portability Issues:
29 * SHA-224 and SHA-256 are defined in terms of 32-bit "words".
30 * This code uses <stdint.h> (included via "sha.h") to define 32-
31 * and 8-bit unsigned integer types. If your C compiler does not
32 * support 32-bit unsigned integers, this code is not
33 * appropriate.
34 *
35 * Caveats:
36 * SHA-224 and SHA-256 are designed to work with messages less
37 * than 2^64 bits long. This implementation uses SHA224/256Input()
38 * to hash the bits that are a multiple of the size of an 8-bit
39 * octet, and then optionally uses SHA224/256FinalBits()
40 * to hash the final few bits of the input.
41 */
42
43 #include "canlock-private.h"
44 #include "sha.h"
45 #include "sha-private.h"
46
47 /* Define the SHA shift, rotate left, and rotate right macros */
48 #define SHA256_SHR(bits,word) ((word) >> (bits))
49 #if 0 /* not used */
50 #define SHA256_ROTL(bits,word) \
51 (((word) << (bits)) | ((word) >> (32-(bits))))
52 #endif /* 0 */
53 #define SHA256_ROTR(bits,word) \
54 (((word) >> (bits)) | ((word) << (32-(bits))))
55
56 /* Define the SHA SIGMA and sigma macros */
57 #define SHA256_SIGMA0(word) \
58 (SHA256_ROTR( 2,word) ^ SHA256_ROTR(13,word) ^ SHA256_ROTR(22,word))
59 #define SHA256_SIGMA1(word) \
60 (SHA256_ROTR( 6,word) ^ SHA256_ROTR(11,word) ^ SHA256_ROTR(25,word))
61 #define SHA256_sigma0(word) \
62 (SHA256_ROTR( 7,word) ^ SHA256_ROTR(18,word) ^ SHA256_SHR( 3,word))
63 #define SHA256_sigma1(word) \
64 (SHA256_ROTR(17,word) ^ SHA256_ROTR(19,word) ^ SHA256_SHR(10,word))
65
66 /*
67 * Add "length" to the length.
68 * Set Corrupted when overflow has occurred.
69 */
70 static uint32_t addTemp;
71 #define SHA224_256AddLength(context, length) \
72 (addTemp = (context)->Length_Low, (context)->Corrupted = \
73 (((context)->Length_Low += (length)) < addTemp) && \
74 (++(context)->Length_High == 0) ? shaInputTooLong : \
75 (context)->Corrupted )
76
77 /* Local Function Prototypes */
78 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0);
79 static void SHA224_256ProcessMessageBlock(SHA256Context *context);
80 static void SHA224_256Finalize(SHA256Context *context,
81 uint8_t Pad_Byte);
82 static void SHA224_256PadMessage(SHA256Context *context,
83 uint8_t Pad_Byte);
84 static int SHA224_256ResultN(SHA256Context *context,
85 uint8_t Message_Digest[ ], int HashSize);
86
87 /* Initial Hash Values: FIPS 180-3 section 5.3.2 */
88 static uint32_t SHA224_H0[SHA256HashSize/4] = {
89 0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939,
90 0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4
91 };
92
93 /* Initial Hash Values: FIPS 180-3 section 5.3.3 */
94 static uint32_t SHA256_H0[SHA256HashSize/4] = {
95 0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A,
96 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19
97 };
98
99 /*
100 * SHA224Reset
101 *
102 * Description:
103 * This function will initialize the SHA224Context in preparation
104 * for computing a new SHA224 message digest.
105 *
106 * Parameters:
107 * context: [in/out]
108 * The context to reset.
109 *
110 * Returns:
111 * sha Error Code.
112 */
SHA224Reset(SHA224Context * context)113 int SHA224Reset(SHA224Context *context)
114 {
115 return SHA224_256Reset(context, SHA224_H0);
116 }
117
118 /*
119 * SHA224Input
120 *
121 * Description:
122 * This function accepts an array of octets as the next portion
123 * of the message.
124 *
125 * Parameters:
126 * context: [in/out]
127 * The SHA context to update.
128 * message_array[ ]: [in]
129 * An array of octets representing the next portion of
130 * the message.
131 * length: [in]
132 * The length of the message in message_array.
133 *
134 * Returns:
135 * sha Error Code.
136 *
137 */
SHA224Input(SHA224Context * context,const uint8_t * message_array,unsigned int length)138 int SHA224Input(SHA224Context *context, const uint8_t *message_array,
139 unsigned int length)
140 {
141 return SHA256Input(context, message_array, length);
142 }
143
144 /*
145 * SHA224FinalBits
146 *
147 * Description:
148 * This function will add in any final bits of the message.
149 *
150 * Parameters:
151 * context: [in/out]
152 * The SHA context to update.
153 * message_bits: [in]
154 * The final bits of the message, in the upper portion of the
155 * byte. (Use 0b###00000 instead of 0b00000### to input the
156 * three bits ###.)
157 * length: [in]
158 * The number of bits in message_bits, between 1 and 7.
159 *
160 * Returns:
161 * sha Error Code.
162 */
SHA224FinalBits(SHA224Context * context,uint8_t message_bits,unsigned int length)163 int SHA224FinalBits(SHA224Context *context,
164 uint8_t message_bits, unsigned int length)
165 {
166 return SHA256FinalBits(context, message_bits, length);
167 }
168
169 /*
170 * SHA224Result
171 *
172 * Description:
173 * This function will return the 224-bit message digest
174 * into the Message_Digest array provided by the caller.
175 * NOTE:
176 * The first octet of hash is stored in the element with index 0,
177 * the last octet of hash in the element with index 27.
178 *
179 * Parameters:
180 * context: [in/out]
181 * The context to use to calculate the SHA hash.
182 * Message_Digest[ ]: [out]
183 * Where the digest is returned.
184 *
185 * Returns:
186 * sha Error Code.
187 */
SHA224Result(SHA224Context * context,uint8_t Message_Digest[SHA224HashSize])188 int SHA224Result(SHA224Context *context,
189 uint8_t Message_Digest[SHA224HashSize])
190 {
191 return SHA224_256ResultN(context, Message_Digest, SHA224HashSize);
192 }
193
194 /*
195 * SHA256Reset
196 *
197 * Description:
198 * This function will initialize the SHA256Context in preparation
199 * for computing a new SHA256 message digest.
200 *
201 * Parameters:
202 * context: [in/out]
203 * The context to reset.
204 *
205 * Returns:
206 * sha Error Code.
207 */
SHA256Reset(SHA256Context * context)208 int SHA256Reset(SHA256Context *context)
209 {
210 return SHA224_256Reset(context, SHA256_H0);
211 }
212
213 /*
214 * SHA256Input
215 *
216 * Description:
217 * This function accepts an array of octets as the next portion
218 * of the message.
219 *
220 * Parameters:
221 * context: [in/out]
222 * The SHA context to update.
223 * message_array[ ]: [in]
224 * An array of octets representing the next portion of
225 * the message.
226 * length: [in]
227 * The length of the message in message_array.
228 *
229 * Returns:
230 * sha Error Code.
231 */
SHA256Input(SHA256Context * context,const uint8_t * message_array,unsigned int length)232 int SHA256Input(SHA256Context *context, const uint8_t *message_array,
233 unsigned int length)
234 {
235 if (!context) return shaNull;
236 if (!length) return shaSuccess;
237 if (!message_array) return shaNull;
238 if (context->Computed) return context->Corrupted = shaStateError;
239 if (context->Corrupted) return context->Corrupted;
240
241 while (length--) {
242 context->Message_Block[context->Message_Block_Index++] =
243 *message_array;
244
245 if ((SHA224_256AddLength(context, 8) == shaSuccess) &&
246 (context->Message_Block_Index == SHA256_Message_Block_Size))
247 SHA224_256ProcessMessageBlock(context);
248
249 message_array++;
250 }
251
252 return context->Corrupted;
253
254 }
255
256 /*
257 * SHA256FinalBits
258 *
259 * Description:
260 * This function will add in any final bits of the message.
261 *
262 * Parameters:
263 * context: [in/out]
264 * The SHA context to update.
265 * message_bits: [in]
266 * The final bits of the message, in the upper portion of the
267 * byte. (Use 0b###00000 instead of 0b00000### to input the
268 * three bits ###.)
269 * length: [in]
270 * The number of bits in message_bits, between 1 and 7.
271 *
272 * Returns:
273 * sha Error Code.
274 */
SHA256FinalBits(SHA256Context * context,uint8_t message_bits,unsigned int length)275 int SHA256FinalBits(SHA256Context *context,
276 uint8_t message_bits, unsigned int length)
277 {
278 static uint8_t masks[8] = {
279 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
280 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
281 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
282 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE
283 };
284 static uint8_t markbit[8] = {
285 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
286 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
287 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
288 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
289 };
290
291 if (!context) return shaNull;
292 if (!length) return shaSuccess;
293 if (context->Corrupted) return context->Corrupted;
294 if (context->Computed) return context->Corrupted = shaStateError;
295 if (length >= 8) return context->Corrupted = shaBadParam;
296
297 SHA224_256AddLength(context, length);
298 SHA224_256Finalize(context, (uint8_t)
299 ((message_bits & masks[length]) | markbit[length]));
300
301 return context->Corrupted;
302 }
303
304 /*
305 * SHA256Result
306 *
307 * Description:
308 * This function will return the 256-bit message digest
309 * into the Message_Digest array provided by the caller.
310 * NOTE:
311 * The first octet of hash is stored in the element with index 0,
312 * the last octet of hash in the element with index 31.
313 *
314 * Parameters:
315 * context: [in/out]
316 * The context to use to calculate the SHA hash.
317 * Message_Digest[ ]: [out]
318 * Where the digest is returned.
319 *
320 * Returns:
321 * sha Error Code.
322 */
SHA256Result(SHA256Context * context,uint8_t Message_Digest[SHA256HashSize])323 int SHA256Result(SHA256Context *context,
324 uint8_t Message_Digest[SHA256HashSize])
325 {
326 return SHA224_256ResultN(context, Message_Digest, SHA256HashSize);
327 }
328
329 /*
330 * SHA224_256Reset
331 *
332 * Description:
333 * This helper function will initialize the SHA256Context in
334 * preparation for computing a new SHA-224 or SHA-256 message digest.
335 *
336 * Parameters:
337 * context: [in/out]
338 * The context to reset.
339 * H0[ ]: [in]
340 * The initial hash value array to use.
341 *
342 * Returns:
343 * sha Error Code.
344 */
SHA224_256Reset(SHA256Context * context,uint32_t * H0)345 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0)
346 {
347 if (!context) return shaNull;
348
349 context->Length_High = context->Length_Low = 0;
350 context->Message_Block_Index = 0;
351
352 context->Intermediate_Hash[0] = H0[0];
353 context->Intermediate_Hash[1] = H0[1];
354 context->Intermediate_Hash[2] = H0[2];
355 context->Intermediate_Hash[3] = H0[3];
356 context->Intermediate_Hash[4] = H0[4];
357 context->Intermediate_Hash[5] = H0[5];
358 context->Intermediate_Hash[6] = H0[6];
359 context->Intermediate_Hash[7] = H0[7];
360
361 context->Computed = 0;
362 context->Corrupted = shaSuccess;
363
364 return shaSuccess;
365 }
366
367 /*
368 * SHA224_256ProcessMessageBlock
369 *
370 * Description:
371 * This helper function will process the next 512 bits of the
372 * message stored in the Message_Block array.
373 *
374 * Parameters:
375 * context: [in/out]
376 * The SHA context to update.
377 *
378 * Returns:
379 * Nothing.
380 *
381 * Comments:
382 * Many of the variable names in this code, especially the
383 * single character names, were used because those were the
384 * names used in the Secure Hash Standard.
385 */
SHA224_256ProcessMessageBlock(SHA256Context * context)386 static void SHA224_256ProcessMessageBlock(SHA256Context *context)
387 {
388 /* Constants defined in FIPS 180-3, section 4.2.2 */
389 static const uint32_t K[64] = {
390 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b,
391 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01,
392 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7,
393 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
394 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152,
395 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
396 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc,
397 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
398 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819,
399 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08,
400 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f,
401 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
402 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
403 };
404 int t, t4; /* Loop counter */
405 uint32_t temp1, temp2; /* Temporary word value */
406 uint32_t W[64]; /* Word sequence. Security review: Location L5 */
407 uint32_t A, B, C, D, E, F, G, H; /* Word buffers */
408
409 /*
410 * Initialize the first 16 words in the array W
411 */
412 for (t = t4 = 0; t < 16; t++, t4 += 4)
413 W[t] = (((uint32_t)context->Message_Block[t4]) << 24) |
414 (((uint32_t)context->Message_Block[t4 + 1]) << 16) |
415 (((uint32_t)context->Message_Block[t4 + 2]) << 8) |
416 (((uint32_t)context->Message_Block[t4 + 3]));
417
418 for (t = 16; t < 64; t++)
419 W[t] = SHA256_sigma1(W[t-2]) + W[t-7] +
420 SHA256_sigma0(W[t-15]) + W[t-16];
421
422 A = context->Intermediate_Hash[0];
423 B = context->Intermediate_Hash[1];
424 C = context->Intermediate_Hash[2];
425 D = context->Intermediate_Hash[3];
426 E = context->Intermediate_Hash[4];
427 F = context->Intermediate_Hash[5];
428 G = context->Intermediate_Hash[6];
429 H = context->Intermediate_Hash[7];
430
431 for (t = 0; t < 64; t++) {
432 temp1 = H + SHA256_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
433 temp2 = SHA256_SIGMA0(A) + SHA_Maj(A,B,C);
434 H = G;
435 G = F;
436 F = E;
437 E = D + temp1;
438 D = C;
439 C = B;
440 B = A;
441 A = temp1 + temp2;
442 }
443
444 cl_clear_secret((void *) W, sizeof(W), sizeof(W));
445
446 context->Intermediate_Hash[0] += A;
447 context->Intermediate_Hash[1] += B;
448 context->Intermediate_Hash[2] += C;
449 context->Intermediate_Hash[3] += D;
450 context->Intermediate_Hash[4] += E;
451 context->Intermediate_Hash[5] += F;
452 context->Intermediate_Hash[6] += G;
453 context->Intermediate_Hash[7] += H;
454
455 context->Message_Block_Index = 0;
456 }
457
458 /*
459 * SHA224_256Finalize
460 *
461 * Description:
462 * This helper function finishes off the digest calculations.
463 *
464 * Parameters:
465 * context: [in/out]
466 * The SHA context to update.
467 * Pad_Byte: [in]
468 * The last byte to add to the message block before the 0-padding
469 * and length. This will contain the last bits of the message
470 * followed by another single bit. If the message was an
471 * exact multiple of 8-bits long, Pad_Byte will be 0x80.
472 *
473 * Returns:
474 * sha Error Code.
475 */
SHA224_256Finalize(SHA256Context * context,uint8_t Pad_Byte)476 static void SHA224_256Finalize(SHA256Context *context,
477 uint8_t Pad_Byte)
478 {
479 int i;
480 SHA224_256PadMessage(context, Pad_Byte);
481 /* message may be sensitive, so clear it out */
482 for (i = 0; i < SHA256_Message_Block_Size; ++i)
483 context->Message_Block[i] = 0;
484 context->Length_High = 0; /* and clear length */
485 context->Length_Low = 0;
486 context->Computed = 1;
487 }
488
489 /*
490 * SHA224_256PadMessage
491 *
492 * Description:
493 * According to the standard, the message must be padded to the next
494 * even multiple of 512 bits. The first padding bit must be a '1'.
495 * The last 64 bits represent the length of the original message.
496 * All bits in between should be 0. This helper function will pad
497 * the message according to those rules by filling the
498 * Message_Block array accordingly. When it returns, it can be
499 * assumed that the message digest has been computed.
500 *
501 * Parameters:
502 * context: [in/out]
503 * The context to pad.
504 * Pad_Byte: [in]
505 * The last byte to add to the message block before the 0-padding
506 * and length. This will contain the last bits of the message
507 * followed by another single bit. If the message was an
508 * exact multiple of 8-bits long, Pad_Byte will be 0x80.
509 *
510 * Returns:
511 * Nothing.
512 */
SHA224_256PadMessage(SHA256Context * context,uint8_t Pad_Byte)513 static void SHA224_256PadMessage(SHA256Context *context,
514 uint8_t Pad_Byte)
515 {
516 /*
517 * Check to see if the current message block is too small to hold
518 * the initial padding bits and length. If so, we will pad the
519 * block, process it, and then continue padding into a second
520 * block.
521 */
522 if (context->Message_Block_Index >= (SHA256_Message_Block_Size-8)) {
523 context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
524 while (context->Message_Block_Index < SHA256_Message_Block_Size)
525 context->Message_Block[context->Message_Block_Index++] = 0;
526 SHA224_256ProcessMessageBlock(context);
527 } else
528 context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
529
530 while (context->Message_Block_Index < (SHA256_Message_Block_Size-8))
531 context->Message_Block[context->Message_Block_Index++] = 0;
532
533 /*
534 * Store the message length as the last 8 octets
535 */
536 context->Message_Block[56] = (uint8_t)(context->Length_High >> 24);
537 context->Message_Block[57] = (uint8_t)(context->Length_High >> 16);
538 context->Message_Block[58] = (uint8_t)(context->Length_High >> 8);
539 context->Message_Block[59] = (uint8_t)(context->Length_High);
540 context->Message_Block[60] = (uint8_t)(context->Length_Low >> 24);
541 context->Message_Block[61] = (uint8_t)(context->Length_Low >> 16);
542 context->Message_Block[62] = (uint8_t)(context->Length_Low >> 8);
543 context->Message_Block[63] = (uint8_t)(context->Length_Low);
544
545 SHA224_256ProcessMessageBlock(context);
546 }
547
548 /*
549 * SHA224_256ResultN
550 *
551 * Description:
552 * This helper function will return the 224-bit or 256-bit message
553 * digest into the Message_Digest array provided by the caller.
554 * NOTE:
555 * The first octet of hash is stored in the element with index 0,
556 * the last octet of hash in the element with index 27/31.
557 *
558 * Parameters:
559 * context: [in/out]
560 * The context to use to calculate the SHA hash.
561 * Message_Digest[ ]: [out]
562 * Where the digest is returned.
563 * HashSize: [in]
564 * The size of the hash, either 28 or 32.
565 *
566 * Returns:
567 * sha Error Code.
568 */
SHA224_256ResultN(SHA256Context * context,uint8_t Message_Digest[],int HashSize)569 static int SHA224_256ResultN(SHA256Context *context,
570 uint8_t Message_Digest[ ], int HashSize)
571 {
572 int i;
573
574 if (!context) return shaNull;
575 if (!Message_Digest) return shaNull;
576 if (context->Corrupted) return context->Corrupted;
577
578 if (!context->Computed)
579 SHA224_256Finalize(context, 0x80);
580
581 for (i = 0; i < HashSize; ++i)
582 Message_Digest[i] = (uint8_t)
583 (context->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) ));
584
585 return shaSuccess;
586 }
587