cpukit/libmd/sha256c.c

0001 /*-
0002  * Copyright 2005 Colin Percival
0003  * All rights reserved.
0004  *
0005  * Redistribution and use in source and binary forms, with or without
0006  * modification, are permitted provided that the following conditions
0007  * are met:
0008  * 1. Redistributions of source code must retain the above copyright
0009  *    notice, this list of conditions and the following disclaimer.
0010  * 2. Redistributions in binary form must reproduce the above copyright
0011  *    notice, this list of conditions and the following disclaimer in the
0012  *    documentation and/or other materials provided with the distribution.
0013  *
0014  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
0015  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
0016  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
0017  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
0018  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
0019  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
0020  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
0021  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
0022  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
0023  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
0024  * SUCH DAMAGE.
0025  */
0026
0027 #include <sys/cdefs.h>
0028 __FBSDID("$FreeBSD$");
0029
0030 #include <sys/endian.h>
0031 #include <sys/types.h>
0032
0033 #include <string.h>
0034
0035 #include "sha224.h"
0036 #include "sha256.h"
0037
0038 #if BYTE_ORDER == BIG_ENDIAN
0039
0040 /* Copy a vector of big-endian uint32_t into a vector of bytes */
0041 #define be32enc_vect(dst, src, len) \
0042     memcpy((void *)dst, (const void *)src, (size_t)len)
0043
0044 /* Copy a vector of bytes into a vector of big-endian uint32_t */
0045 #define be32dec_vect(dst, src, len) \
0046     memcpy((void *)dst, (const void *)src, (size_t)len)
0047
0048 #else /* BYTE_ORDER != BIG_ENDIAN */
0049
0050 /*
0051  * Encode a length len/4 vector of (uint32_t) into a length len vector of
0052  * (unsigned char) in big-endian form.  Assumes len is a multiple of 4.
0053  */
0054 static void
0055 be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
0056 {
0057     size_t i;
0058
0059     for (i = 0; i < len / 4; i++)
0060         be32enc(dst + i * 4, src[i]);
0061 }
0062
0063 /*
0064  * Decode a big-endian length len vector of (unsigned char) into a length
0065  * len/4 vector of (uint32_t).  Assumes len is a multiple of 4.
0066  */
0067 static void
0068 be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
0069 {
0070     size_t i;
0071
0072     for (i = 0; i < len / 4; i++)
0073         dst[i] = be32dec(src + i * 4);
0074 }
0075
0076 #endif /* BYTE_ORDER != BIG_ENDIAN */
0077
0078 /* SHA256 round constants. */
0079 static const uint32_t K[64] = {
0080     0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
0081     0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
0082     0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
0083     0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
0084     0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
0085     0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
0086     0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
0087     0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
0088     0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
0089     0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
0090     0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
0091     0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
0092     0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
0093     0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
0094     0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
0095     0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
0096 };
0097
0098 /* Elementary functions used by SHA256 */
0099 #define Ch(x, y, z) ((x & (y ^ z)) ^ z)
0100 #define Maj(x, y, z)    ((x & (y | z)) | (y & z))
0101 #define SHR(x, n)   (x >> n)
0102 #define ROTR(x, n)  ((x >> n) | (x << (32 - n)))
0103 #define S0(x)       (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
0104 #define S1(x)       (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
0105 #define s0(x)       (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
0106 #define s1(x)       (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
0107
0108 /* SHA256 round function */
0109 #define RND(a, b, c, d, e, f, g, h, k)          \
0110     h += S1(e) + Ch(e, f, g) + k;           \
0111     d += h;                     \
0112     h += S0(a) + Maj(a, b, c);
0113
0114 /* Adjusted round function for rotating state */
0115 #define RNDr(S, W, i, ii)           \
0116     RND(S[(64 - i) % 8], S[(65 - i) % 8],   \
0117         S[(66 - i) % 8], S[(67 - i) % 8],   \
0118         S[(68 - i) % 8], S[(69 - i) % 8],   \
0119         S[(70 - i) % 8], S[(71 - i) % 8],   \
0120         W[i + ii] + K[i + ii])
0121
0122 /* Message schedule computation */
0123 #define MSCH(W, ii, i)              \
0124     W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii]
0125
0126 /*
0127  * SHA256 block compression function.  The 256-bit state is transformed via
0128  * the 512-bit input block to produce a new state.
0129  */
0130 static void
0131 SHA256_Transform(uint32_t * state, const unsigned char block[64])
0132 {
0133     uint32_t W[64];
0134     uint32_t S[8];
0135     int i;
0136
0137     /* 1. Prepare the first part of the message schedule W. */
0138     be32dec_vect(W, block, 64);
0139
0140     /* 2. Initialize working variables. */
0141     memcpy(S, state, 32);
0142
0143     /* 3. Mix. */
0144     for (i = 0; i < 64; i += 16) {
0145         RNDr(S, W, 0, i);
0146         RNDr(S, W, 1, i);
0147         RNDr(S, W, 2, i);
0148         RNDr(S, W, 3, i);
0149         RNDr(S, W, 4, i);
0150         RNDr(S, W, 5, i);
0151         RNDr(S, W, 6, i);
0152         RNDr(S, W, 7, i);
0153         RNDr(S, W, 8, i);
0154         RNDr(S, W, 9, i);
0155         RNDr(S, W, 10, i);
0156         RNDr(S, W, 11, i);
0157         RNDr(S, W, 12, i);
0158         RNDr(S, W, 13, i);
0159         RNDr(S, W, 14, i);
0160         RNDr(S, W, 15, i);
0161
0162         if (i == 48)
0163             break;
0164         MSCH(W, 0, i);
0165         MSCH(W, 1, i);
0166         MSCH(W, 2, i);
0167         MSCH(W, 3, i);
0168         MSCH(W, 4, i);
0169         MSCH(W, 5, i);
0170         MSCH(W, 6, i);
0171         MSCH(W, 7, i);
0172         MSCH(W, 8, i);
0173         MSCH(W, 9, i);
0174         MSCH(W, 10, i);
0175         MSCH(W, 11, i);
0176         MSCH(W, 12, i);
0177         MSCH(W, 13, i);
0178         MSCH(W, 14, i);
0179         MSCH(W, 15, i);
0180     }
0181
0182     /* 4. Mix local working variables into global state */
0183     for (i = 0; i < 8; i++)
0184         state[i] += S[i];
0185 }
0186
0187 static const unsigned char PAD[64] = {
0188     0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0189     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0190     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0191     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
0192 };
0193
0194 /* Add padding and terminating bit-count. */
0195 static void
0196 SHA256_Pad(SHA256_CTX * ctx)
0197 {
0198     size_t r;
0199
0200     /* Figure out how many bytes we have buffered. */
0201     r = (ctx->count >> 3) & 0x3f;
0202
0203     /* Pad to 56 mod 64, transforming if we finish a block en route. */
0204     if (r < 56) {
0205         /* Pad to 56 mod 64. */
0206         memcpy(&ctx->buf[r], PAD, 56 - r);
0207     } else {
0208         /* Finish the current block and mix. */
0209         memcpy(&ctx->buf[r], PAD, 64 - r);
0210         SHA256_Transform(ctx->state, ctx->buf);
0211
0212         /* The start of the final block is all zeroes. */
0213         memset(&ctx->buf[0], 0, 56);
0214     }
0215
0216     /* Add the terminating bit-count. */
0217     be64enc(&ctx->buf[56], ctx->count);
0218
0219     /* Mix in the final block. */
0220     SHA256_Transform(ctx->state, ctx->buf);
0221 }
0222
0223 /* SHA-256 initialization.  Begins a SHA-256 operation. */
0224 void
0225 SHA256_Init(SHA256_CTX * ctx)
0226 {
0227
0228     /* Zero bits processed so far */
0229     ctx->count = 0;
0230
0231     /* Magic initialization constants */
0232     ctx->state[0] = 0x6A09E667;
0233     ctx->state[1] = 0xBB67AE85;
0234     ctx->state[2] = 0x3C6EF372;
0235     ctx->state[3] = 0xA54FF53A;
0236     ctx->state[4] = 0x510E527F;
0237     ctx->state[5] = 0x9B05688C;
0238     ctx->state[6] = 0x1F83D9AB;
0239     ctx->state[7] = 0x5BE0CD19;
0240 }
0241
0242 /* Add bytes into the hash */
0243 void
0244 SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len)
0245 {
0246     uint64_t bitlen;
0247     uint32_t r;
0248     const unsigned char *src = in;
0249
0250     /* Number of bytes left in the buffer from previous updates */
0251     r = (ctx->count >> 3) & 0x3f;
0252
0253     /* Convert the length into a number of bits */
0254     bitlen = len << 3;
0255
0256     /* Update number of bits */
0257     ctx->count += bitlen;
0258
0259     /* Handle the case where we don't need to perform any transforms */
0260     if (len < 64 - r) {
0261         memcpy(&ctx->buf[r], src, len);
0262         return;
0263     }
0264
0265     /* Finish the current block */
0266     memcpy(&ctx->buf[r], src, 64 - r);
0267     SHA256_Transform(ctx->state, ctx->buf);
0268     src += 64 - r;
0269     len -= 64 - r;
0270
0271     /* Perform complete blocks */
0272     while (len >= 64) {
0273         SHA256_Transform(ctx->state, src);
0274         src += 64;
0275         len -= 64;
0276     }
0277
0278     /* Copy left over data into buffer */
0279     memcpy(ctx->buf, src, len);
0280 }
0281
0282 /*
0283  * SHA-256 finalization.  Pads the input data, exports the hash value,
0284  * and clears the context state.
0285  */
0286 void
0287 SHA256_Final(unsigned char digest[static SHA256_DIGEST_LENGTH], SHA256_CTX *ctx)
0288 {
0289
0290     /* Add padding */
0291     SHA256_Pad(ctx);
0292
0293     /* Write the hash */
0294     be32enc_vect(digest, ctx->state, SHA256_DIGEST_LENGTH);
0295
0296     /* Clear the context state */
0297     explicit_bzero(ctx, sizeof(*ctx));
0298 }
0299
0300 /*** SHA-224: *********************************************************/
0301 /*
0302  * the SHA224 and SHA256 transforms are identical
0303  */
0304
0305 /* SHA-224 initialization.  Begins a SHA-224 operation. */
0306 void
0307 SHA224_Init(SHA224_CTX * ctx)
0308 {
0309
0310     /* Zero bits processed so far */
0311     ctx->count = 0;
0312
0313     /* Magic initialization constants */
0314     ctx->state[0] = 0xC1059ED8;
0315     ctx->state[1] = 0x367CD507;
0316     ctx->state[2] = 0x3070DD17;
0317     ctx->state[3] = 0xF70E5939;
0318     ctx->state[4] = 0xFFC00B31;
0319     ctx->state[5] = 0x68581511;
0320     ctx->state[6] = 0x64f98FA7;
0321     ctx->state[7] = 0xBEFA4FA4;
0322 }
0323
0324 /* Add bytes into the SHA-224 hash */
0325 void
0326 SHA224_Update(SHA224_CTX * ctx, const void *in, size_t len)
0327 {
0328
0329     SHA256_Update((SHA256_CTX *)ctx, in, len);
0330 }
0331
0332 /*
0333  * SHA-224 finalization.  Pads the input data, exports the hash value,
0334  * and clears the context state.
0335  */
0336 void
0337 SHA224_Final(unsigned char digest[static SHA224_DIGEST_LENGTH], SHA224_CTX *ctx)
0338 {
0339
0340     /* Add padding */
0341     SHA256_Pad((SHA256_CTX *)ctx);
0342
0343     /* Write the hash */
0344     be32enc_vect(digest, ctx->state, SHA224_DIGEST_LENGTH);
0345
0346     /* Clear the context state */
0347     explicit_bzero(ctx, sizeof(*ctx));
0348 }