1 2 /*- 3 * Copyright 2005,2007,2009 Colin Percival 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 * 27 */ 28 29 #include <limits.h> 30 #include <stdint.h> 31 #include <stdlib.h> 32 #include <string.h> 33 34 #include <sys/types.h> 35 36 #include "crypto_hash_sha256.h" 37 #include "private/common.h" 38 #include "utils.h" 39 40 static void 41 be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len) 42 { 43 size_t i; 44 45 for (i = 0; i < len / 4; i++) { 46 STORE32_BE(dst + i * 4, src[i]); 47 } 48 } 49 50 static void 51 be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len) 52 { 53 size_t i; 54 55 for (i = 0; i < len / 4; i++) { 56 dst[i] = LOAD32_BE(src + i * 4); 57 } 58 } 59 60 static const uint32_t Krnd[64] = { 61 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 62 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 63 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, 64 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 65 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 66 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 67 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, 68 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 69 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 70 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 71 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 72 }; 73 74 #define Ch(x, y, z) ((x & (y ^ z)) ^ z) 75 #define Maj(x, y, z) ((x & (y | z)) | (y & z)) 76 #define SHR(x, n) (x >> n) 77 #define ROTR(x, n) ROTR32(x, n) 78 #define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) 79 #define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) 80 #define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) 81 #define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) 82 83 #define RND(a, b, c, d, e, f, g, h, k) \ 84 h += S1(e) + Ch(e, f, g) + k; \ 85 d += h; \ 86 h += S0(a) + Maj(a, b, c); 87 88 #define RNDr(S, W, i, ii) \ 89 RND(S[(64 - i) % 8], S[(65 - i) % 8], S[(66 - i) % 8], S[(67 - i) % 8], \ 90 S[(68 - i) % 8], S[(69 - i) % 8], S[(70 - i) % 8], S[(71 - i) % 8], \ 91 W[i + ii] + Krnd[i + ii]) 92 93 #define MSCH(W, ii, i) \ 94 W[i + ii + 16] = \ 95 s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii] 96 97 static void 98 SHA256_Transform(uint32_t state[8], const uint8_t block[64], uint32_t W[64], 99 uint32_t S[8]) 100 { 101 int i; 102 103 be32dec_vect(W, block, 64); 104 memcpy(S, state, 32); 105 for (i = 0; i < 64; i += 16) { 106 RNDr(S, W, 0, i); 107 RNDr(S, W, 1, i); 108 RNDr(S, W, 2, i); 109 RNDr(S, W, 3, i); 110 RNDr(S, W, 4, i); 111 RNDr(S, W, 5, i); 112 RNDr(S, W, 6, i); 113 RNDr(S, W, 7, i); 114 RNDr(S, W, 8, i); 115 RNDr(S, W, 9, i); 116 RNDr(S, W, 10, i); 117 RNDr(S, W, 11, i); 118 RNDr(S, W, 12, i); 119 RNDr(S, W, 13, i); 120 RNDr(S, W, 14, i); 121 RNDr(S, W, 15, i); 122 if (i == 48) { 123 break; 124 } 125 MSCH(W, 0, i); 126 MSCH(W, 1, i); 127 MSCH(W, 2, i); 128 MSCH(W, 3, i); 129 MSCH(W, 4, i); 130 MSCH(W, 5, i); 131 MSCH(W, 6, i); 132 MSCH(W, 7, i); 133 MSCH(W, 8, i); 134 MSCH(W, 9, i); 135 MSCH(W, 10, i); 136 MSCH(W, 11, i); 137 MSCH(W, 12, i); 138 MSCH(W, 13, i); 139 MSCH(W, 14, i); 140 MSCH(W, 15, i); 141 } 142 for (i = 0; i < 8; i++) { 143 state[i] += S[i]; 144 } 145 } 146 147 static const uint8_t PAD[64] = { 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 148 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 149 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 150 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 151 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; 152 153 static void 154 SHA256_Pad(crypto_hash_sha256_state *state, uint32_t tmp32[64 + 8]) 155 { 156 unsigned int r; 157 unsigned int i; 158 159 r = (unsigned int) ((state->count >> 3) & 0x3f); 160 if (r < 56) { 161 for (i = 0; i < 56 - r; i++) { 162 state->buf[r + i] = PAD[i]; 163 } 164 } else { 165 for (i = 0; i < 64 - r; i++) { 166 state->buf[r + i] = PAD[i]; 167 } 168 SHA256_Transform(state->state, state->buf, &tmp32[0], &tmp32[64]); 169 memset(&state->buf[0], 0, 56); 170 } 171 STORE64_BE(&state->buf[56], state->count); 172 SHA256_Transform(state->state, state->buf, &tmp32[0], &tmp32[64]); 173 } 174 175 int 176 crypto_hash_sha256_init(crypto_hash_sha256_state *state) 177 { 178 static const uint32_t sha256_initial_state[8] = { 0x6a09e667, 0xbb67ae85, 179 0x3c6ef372, 0xa54ff53a, 180 0x510e527f, 0x9b05688c, 181 0x1f83d9ab, 0x5be0cd19 }; 182 183 state->count = (uint64_t) 0U; 184 memcpy(state->state, sha256_initial_state, sizeof sha256_initial_state); 185 186 return 0; 187 } 188 189 int 190 crypto_hash_sha256_update(crypto_hash_sha256_state *state, 191 const unsigned char *in, unsigned long long inlen) 192 { 193 uint32_t tmp32[64 + 8]; 194 unsigned long long i; 195 unsigned long long r; 196 197 if (inlen <= 0U) { 198 return 0; 199 } 200 r = (unsigned long long) ((state->count >> 3) & 0x3f); 201 202 state->count += ((uint64_t) inlen) << 3; 203 if (inlen < 64 - r) { 204 for (i = 0; i < inlen; i++) { 205 state->buf[r + i] = in[i]; 206 } 207 return 0; 208 } 209 for (i = 0; i < 64 - r; i++) { 210 state->buf[r + i] = in[i]; 211 } 212 SHA256_Transform(state->state, state->buf, &tmp32[0], &tmp32[64]); 213 in += 64 - r; 214 inlen -= 64 - r; 215 216 while (inlen >= 64) { 217 SHA256_Transform(state->state, in, &tmp32[0], &tmp32[64]); 218 in += 64; 219 inlen -= 64; 220 } 221 inlen &= 63; 222 for (i = 0; i < inlen; i++) { 223 state->buf[i] = in[i]; 224 } 225 sodium_memzero((void *) tmp32, sizeof tmp32); 226 227 return 0; 228 } 229 230 int 231 crypto_hash_sha256_final(crypto_hash_sha256_state *state, unsigned char *out) 232 { 233 uint32_t tmp32[64 + 8]; 234 235 SHA256_Pad(state, tmp32); 236 be32enc_vect(out, state->state, 32); 237 sodium_memzero((void *) tmp32, sizeof tmp32); 238 sodium_memzero((void *) state, sizeof *state); 239 240 return 0; 241 } 242 243 int 244 crypto_hash_sha256(unsigned char *out, const unsigned char *in, 245 unsigned long long inlen) 246 { 247 crypto_hash_sha256_state state; 248 249 crypto_hash_sha256_init(&state); 250 crypto_hash_sha256_update(&state, in, inlen); 251 crypto_hash_sha256_final(&state, out); 252 253 return 0; 254 } 255