1 /*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
4 * Copyright (C) Brainspark B.V.
5 *
6 * IUPAC/InChI-Trust Licence for the International Chemical Identifier (InChI)
7 * Software version 1.0.
8 * Copyright (C) IUPAC and InChI Trust Limited
9 *
10 * This library is free software; you can redistribute it and/or modify it under the
11 * terms of the IUPAC/InChI Trust Licence for the International Chemical Identifier
12 * (InChI) Software version 1.0; either version 1.0 of the License, or
13 * (at your option) any later version.
14 *
15 * This library is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
18 * See the IUPAC/InChI Trust Licence for the International Chemical Identifier (InChI)
19 * Software version 1.0 for more details.
20 *
21 * You should have received a copy of the IUPAC/InChI Trust Licence for the
22 * International Chemical Identifier (InChI) Software version 1.0 along with
23 * this library; if not, write to:
24 *
25 * The InChI Trust
26 * c/o FIZ CHEMIE Berlin
27 * Franklinstrasse 11
28 * 10587 Berlin
29 * GERMANY
30 *
31 */
32
33
34 /*
35 * The SHA-256 standard was published by NIST in 2002.
36 *
37 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
38 */
39
40 #ifndef _CRT_SECURE_NO_DEPRECATE
41 #define _CRT_SECURE_NO_DEPRECATE 1
42 #endif
43
44 #include <string.h>
45 #include <stdio.h>
46
47 #include "sha2.h"
48
49 /*
50 * 32-bit integer manipulation macros (big endian)
51 */
52 #ifndef GET_UINT32_BE
53 #define GET_UINT32_BE(n,b,i) \
54 { \
55 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
56 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
57 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
58 | ( (unsigned long) (b)[(i) + 3] ); \
59 }
60 #endif
61 #ifndef PUT_UINT32_BE
62 #define PUT_UINT32_BE(n,b,i) \
63 { \
64 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
65 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
66 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
67 (b)[(i) + 3] = (unsigned char) ( (n) ); \
68 }
69 #endif
70
71 /*
72 * SHA-2 context setup
73 */
sha2_starts(sha2_context * ctx)74 void sha2_starts( sha2_context *ctx )
75 {
76 ctx->total[0] = 0;
77 ctx->total[1] = 0;
78
79 ctx->state[0] = 0x6A09E667;
80 ctx->state[1] = 0xBB67AE85;
81 ctx->state[2] = 0x3C6EF372;
82 ctx->state[3] = 0xA54FF53A;
83 ctx->state[4] = 0x510E527F;
84 ctx->state[5] = 0x9B05688C;
85 ctx->state[6] = 0x1F83D9AB;
86 ctx->state[7] = 0x5BE0CD19;
87 }
88
sha2_process(sha2_context * ctx,unsigned char data[64])89 static void sha2_process( sha2_context *ctx, unsigned char data[64] )
90 {
91 unsigned long temp1, temp2, W[64];
92 unsigned long A, B, C, D, E, F, G, H;
93
94 GET_UINT32_BE( W[0], data, 0 );
95 GET_UINT32_BE( W[1], data, 4 );
96 GET_UINT32_BE( W[2], data, 8 );
97 GET_UINT32_BE( W[3], data, 12 );
98 GET_UINT32_BE( W[4], data, 16 );
99 GET_UINT32_BE( W[5], data, 20 );
100 GET_UINT32_BE( W[6], data, 24 );
101 GET_UINT32_BE( W[7], data, 28 );
102 GET_UINT32_BE( W[8], data, 32 );
103 GET_UINT32_BE( W[9], data, 36 );
104 GET_UINT32_BE( W[10], data, 40 );
105 GET_UINT32_BE( W[11], data, 44 );
106 GET_UINT32_BE( W[12], data, 48 );
107 GET_UINT32_BE( W[13], data, 52 );
108 GET_UINT32_BE( W[14], data, 56 );
109 GET_UINT32_BE( W[15], data, 60 );
110
111 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
112 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
113
114 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
115 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
116
117 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
118 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
119
120 #define F0(x,y,z) ((x & y) | (z & (x | y)))
121 #define F1(x,y,z) (z ^ (x & (y ^ z)))
122
123 #define R(t) \
124 ( \
125 W[t] = S1(W[t - 2]) + W[t - 7] + \
126 S0(W[t - 15]) + W[t - 16] \
127 )
128
129 #define P(a,b,c,d,e,f,g,h,x,K) \
130 { \
131 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
132 temp2 = S2(a) + F0(a,b,c); \
133 d += temp1; h = temp1 + temp2; \
134 }
135
136 A = ctx->state[0];
137 B = ctx->state[1];
138 C = ctx->state[2];
139 D = ctx->state[3];
140 E = ctx->state[4];
141 F = ctx->state[5];
142 G = ctx->state[6];
143 H = ctx->state[7];
144
145 P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98 );
146 P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491 );
147 P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF );
148 P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5 );
149 P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B );
150 P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1 );
151 P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4 );
152 P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5 );
153 P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98 );
154 P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01 );
155 P( G, H, A, B, C, D, E, F, W[10], 0x243185BE );
156 P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3 );
157 P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74 );
158 P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE );
159 P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7 );
160 P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174 );
161 P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1 );
162 P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786 );
163 P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6 );
164 P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC );
165 P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F );
166 P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA );
167 P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC );
168 P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA );
169 P( A, B, C, D, E, F, G, H, R(24), 0x983E5152 );
170 P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D );
171 P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8 );
172 P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7 );
173 P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3 );
174 P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147 );
175 P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351 );
176 P( B, C, D, E, F, G, H, A, R(31), 0x14292967 );
177 P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85 );
178 P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138 );
179 P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC );
180 P( F, G, H, A, B, C, D, E, R(35), 0x53380D13 );
181 P( E, F, G, H, A, B, C, D, R(36), 0x650A7354 );
182 P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB );
183 P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E );
184 P( B, C, D, E, F, G, H, A, R(39), 0x92722C85 );
185 P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1 );
186 P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B );
187 P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70 );
188 P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3 );
189 P( E, F, G, H, A, B, C, D, R(44), 0xD192E819 );
190 P( D, E, F, G, H, A, B, C, R(45), 0xD6990624 );
191 P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585 );
192 P( B, C, D, E, F, G, H, A, R(47), 0x106AA070 );
193 P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116 );
194 P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08 );
195 P( G, H, A, B, C, D, E, F, R(50), 0x2748774C );
196 P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5 );
197 P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3 );
198 P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A );
199 P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F );
200 P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3 );
201 P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE );
202 P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F );
203 P( G, H, A, B, C, D, E, F, R(58), 0x84C87814 );
204 P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208 );
205 P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA );
206 P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB );
207 P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7 );
208 P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2 );
209
210 ctx->state[0] += A;
211 ctx->state[1] += B;
212 ctx->state[2] += C;
213 ctx->state[3] += D;
214 ctx->state[4] += E;
215 ctx->state[5] += F;
216 ctx->state[6] += G;
217 ctx->state[7] += H;
218 }
219
220 /*
221 * SHA-2 process buffer
222 */
sha2_update(sha2_context * ctx,unsigned char * input,int ilen)223 void sha2_update( sha2_context *ctx, unsigned char *input, int ilen )
224 {
225 int fill;
226 unsigned long left;
227
228 if( ilen <= 0 )
229 return;
230
231 left = ctx->total[0] & 0x3F;
232 fill = 64 - left;
233
234 ctx->total[0] += ilen;
235 ctx->total[0] &= 0xFFFFFFFF;
236
237 if( ctx->total[0] < (unsigned long) ilen )
238 ctx->total[1]++;
239
240 if( left && ilen >= fill )
241 {
242 memcpy( (void *) (ctx->buffer + left),
243 (void *) input, fill );
244 sha2_process( ctx, ctx->buffer );
245 input += fill;
246 ilen -= fill;
247 left = 0;
248 }
249
250 while( ilen >= 64 )
251 {
252 sha2_process( ctx, input );
253 input += 64;
254 ilen -= 64;
255 }
256
257 if( ilen > 0 )
258 {
259 memcpy( (void *) (ctx->buffer + left),
260 (void *) input, ilen );
261 }
262 }
263
264 static const unsigned char sha2_padding[64] =
265 {
266 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
267 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
268 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
269 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
270 };
271
272 /*
273 * SHA-2 final digest
274 */
sha2_finish(sha2_context * ctx,unsigned char output[32])275 void sha2_finish( sha2_context *ctx, unsigned char output[32] )
276 {
277 unsigned long last, padn;
278 unsigned long high, low;
279 unsigned char msglen[8];
280
281 high = ( ctx->total[0] >> 29 )
282 | ( ctx->total[1] << 3 );
283 low = ( ctx->total[0] << 3 );
284
285 PUT_UINT32_BE( high, msglen, 0 );
286 PUT_UINT32_BE( low, msglen, 4 );
287
288 last = ctx->total[0] & 0x3F;
289 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
290
291 sha2_update( ctx, (unsigned char *) sha2_padding, padn );
292 sha2_update( ctx, msglen, 8 );
293
294 PUT_UINT32_BE( ctx->state[0], output, 0 );
295 PUT_UINT32_BE( ctx->state[1], output, 4 );
296 PUT_UINT32_BE( ctx->state[2], output, 8 );
297 PUT_UINT32_BE( ctx->state[3], output, 12 );
298 PUT_UINT32_BE( ctx->state[4], output, 16 );
299 PUT_UINT32_BE( ctx->state[5], output, 20 );
300 PUT_UINT32_BE( ctx->state[6], output, 24 );
301 PUT_UINT32_BE( ctx->state[7], output, 28 );
302 }
303
304 /*
305 * Output = SHA-2( file contents )
306 */
sha2_file(char * path,unsigned char output[32])307 int sha2_file( char *path, unsigned char output[32] )
308 {
309 FILE *f;
310 size_t n;
311 sha2_context ctx;
312 unsigned char buf[1024];
313
314 if( ( f = fopen( path, "rb" ) ) == NULL )
315 return( 1 );
316
317 sha2_starts( &ctx );
318
319 while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
320 sha2_update( &ctx, buf, (int) n );
321
322 sha2_finish( &ctx, output );
323
324 fclose( f );
325 return( 0 );
326 }
327
328 /*
329 * Output = SHA-2( input buffer )
330 */
sha2_csum(unsigned char * input,int ilen,unsigned char output[32])331 void sha2_csum( unsigned char *input, int ilen,
332 unsigned char output[32] )
333 {
334 sha2_context ctx;
335
336 sha2_starts( &ctx );
337 sha2_update( &ctx, input, ilen );
338 sha2_finish( &ctx, output );
339 }
340
341 /*
342 * Output = HMAC-SHA-2( input buffer, hmac key )
343 */
sha2_hmac(unsigned char * key,int keylen,unsigned char * input,int ilen,unsigned char output[32])344 void sha2_hmac( unsigned char *key, int keylen,
345 unsigned char *input, int ilen,
346 unsigned char output[32] )
347 {
348 int i;
349 sha2_context ctx;
350 unsigned char k_ipad[64];
351 unsigned char k_opad[64];
352 unsigned char tmpbuf[32];
353
354 memset( k_ipad, 0x36, 64 );
355 memset( k_opad, 0x5C, 64 );
356
357 for( i = 0; i < keylen; i++ )
358 {
359 if( i >= 64 ) break;
360
361 k_ipad[i] ^= key[i];
362 k_opad[i] ^= key[i];
363 }
364
365 sha2_starts( &ctx );
366 sha2_update( &ctx, k_ipad, 64 );
367 sha2_update( &ctx, input, ilen );
368 sha2_finish( &ctx, tmpbuf );
369
370 sha2_starts( &ctx );
371 sha2_update( &ctx, k_opad, 64 );
372 sha2_update( &ctx, tmpbuf, 32 );
373 sha2_finish( &ctx, output );
374
375 memset( k_ipad, 0, 64 );
376 memset( k_opad, 0, 64 );
377 memset( tmpbuf, 0, 32 );
378 memset( &ctx, 0, sizeof( sha2_context ) );
379 }
380
381 #ifdef SELF_TEST
382 /*
383 * FIPS-180-2 test vectors
384 */
385 static const char sha2_test_str[3][57] =
386 {
387 { "abc" },
388 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
389 { "" }
390 };
391
392 static const unsigned char sha2_test_sum[3][32] =
393 {
394 { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
395 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
396 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
397 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
398 { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
399 0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
400 0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
401 0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
402 { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
403 0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
404 0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
405 0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
406 };
407
408 /*
409 * Checkup routine
410 */
sha2_self_test(void)411 int sha2_self_test( void )
412 {
413 int i, j;
414 unsigned char buf[1000];
415 unsigned char sha2sum[32];
416 sha2_context ctx;
417
418 for( i = 0; i < 3; i++ )
419 {
420 printf( " SHA-256 test #%d: ", i + 1 );
421
422 sha2_starts( &ctx );
423
424 if( i < 2 )
425 sha2_update( &ctx, (unsigned char *) sha2_test_str[i],
426 strlen( sha2_test_str[i] ) );
427 else
428 {
429 memset( buf, 'a', 1000 );
430 for( j = 0; j < 1000; j++ )
431 sha2_update( &ctx, buf, 1000 );
432 }
433
434 sha2_finish( &ctx, sha2sum );
435
436 if( memcmp( sha2sum, sha2_test_sum[i], 20 ) != 0 )
437 {
438 printf( "failed\n" );
439 return( 1 );
440 }
441
442 printf( "passed\n" );
443 }
444
445 printf( "\n" );
446 return( 0 );
447 }
448 #else
sha2_self_test(void)449 int sha2_self_test( void )
450 {
451 return( 0 );
452 }
453 #endif
454
455