1 /*-
2 * Copyright 2005 Colin Percival
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27 #include <sys/cdefs.h>
28 #include <endian.h>
29 #include <sys/types.h>
30
31 #ifdef _KERNEL
32 #include <sys/systm.h>
33 #else
34 #include <string.h>
35 #endif
36
37 #include "sha256.h"
38
39 #if BYTE_ORDER == BIG_ENDIAN
40
41 /* Copy a vector of big-endian uint32_t into a vector of bytes */
42 #define be32enc_vect(dst, src, len) \
43 memcpy((void *)dst, (const void *)src, (size_t)len)
44
45 /* Copy a vector of bytes into a vector of big-endian uint32_t */
46 #define be32dec_vect(dst, src, len) \
47 memcpy((void *)dst, (const void *)src, (size_t)len)
48
49 #else /* BYTE_ORDER != BIG_ENDIAN */
50
51 /*
52 * Encode a length len/4 vector of (uint32_t) into a length len vector of
53 * (unsigned char) in big-endian form. Assumes len is a multiple of 4.
54 */
55 static void
be32enc_vect(unsigned char * dst,const uint32_t * src,size_t len)56 be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
57 {
58 size_t i;
59
60 for (i = 0; i < len / 4; i++)
61 be32enc(dst + i * 4, src[i]);
62 }
63
64 /*
65 * Decode a big-endian length len vector of (unsigned char) into a length
66 * len/4 vector of (uint32_t). Assumes len is a multiple of 4.
67 */
68 static void
be32dec_vect(uint32_t * dst,const unsigned char * src,size_t len)69 be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
70 {
71 size_t i;
72
73 for (i = 0; i < len / 4; i++)
74 dst[i] = be32dec(src + i * 4);
75 }
76
77 #endif /* BYTE_ORDER != BIG_ENDIAN */
78
79 /* SHA256 round constants. */
80 static const uint32_t K[64] = {
81 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
82 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
83 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
84 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
85 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
86 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
87 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
88 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
89 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
90 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
91 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
92 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
93 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
94 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
95 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
96 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
97 };
98
99 /* Elementary functions used by SHA256 */
100 #define Ch(x, y, z) ((x & (y ^ z)) ^ z)
101 #define Maj(x, y, z) ((x & (y | z)) | (y & z))
102 #define SHR(x, n) (x >> n)
103 #define ROTR(x, n) ((x >> n) | (x << (32 - n)))
104 #define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
105 #define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
106 #define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
107 #define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
108
109 /* SHA256 round function */
110 #define RND(a, b, c, d, e, f, g, h, k) \
111 h += S1(e) + Ch(e, f, g) + k; \
112 d += h; \
113 h += S0(a) + Maj(a, b, c);
114
115 /* Adjusted round function for rotating state */
116 #define RNDr(S, W, i, ii) \
117 RND(S[(64 - i) % 8], S[(65 - i) % 8], \
118 S[(66 - i) % 8], S[(67 - i) % 8], \
119 S[(68 - i) % 8], S[(69 - i) % 8], \
120 S[(70 - i) % 8], S[(71 - i) % 8], \
121 W[i + ii] + K[i + ii])
122
123 /* Message schedule computation */
124 #define MSCH(W, ii, i) \
125 W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii]
126
127 /*
128 * SHA256 block compression function. The 256-bit state is transformed via
129 * the 512-bit input block to produce a new state.
130 */
131 static void
SHA256_Transform(uint32_t * state,const unsigned char block[64])132 SHA256_Transform(uint32_t * state, const unsigned char block[64])
133 {
134 uint32_t W[64];
135 uint32_t S[8];
136 int i;
137
138 /* 1. Prepare the first part of the message schedule W. */
139 be32dec_vect(W, block, 64);
140
141 /* 2. Initialize working variables. */
142 memcpy(S, state, 32);
143
144 /* 3. Mix. */
145 for (i = 0; i < 64; i += 16) {
146 RNDr(S, W, 0, i);
147 RNDr(S, W, 1, i);
148 RNDr(S, W, 2, i);
149 RNDr(S, W, 3, i);
150 RNDr(S, W, 4, i);
151 RNDr(S, W, 5, i);
152 RNDr(S, W, 6, i);
153 RNDr(S, W, 7, i);
154 RNDr(S, W, 8, i);
155 RNDr(S, W, 9, i);
156 RNDr(S, W, 10, i);
157 RNDr(S, W, 11, i);
158 RNDr(S, W, 12, i);
159 RNDr(S, W, 13, i);
160 RNDr(S, W, 14, i);
161 RNDr(S, W, 15, i);
162
163 if (i == 48)
164 break;
165 MSCH(W, 0, i);
166 MSCH(W, 1, i);
167 MSCH(W, 2, i);
168 MSCH(W, 3, i);
169 MSCH(W, 4, i);
170 MSCH(W, 5, i);
171 MSCH(W, 6, i);
172 MSCH(W, 7, i);
173 MSCH(W, 8, i);
174 MSCH(W, 9, i);
175 MSCH(W, 10, i);
176 MSCH(W, 11, i);
177 MSCH(W, 12, i);
178 MSCH(W, 13, i);
179 MSCH(W, 14, i);
180 MSCH(W, 15, i);
181 }
182
183 /* 4. Mix local working variables into global state */
184 for (i = 0; i < 8; i++)
185 state[i] += S[i];
186 }
187
188 static unsigned char PAD[64] = {
189 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
190 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
191 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
192 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
193 };
194
195 /* Add padding and terminating bit-count. */
196 static void
SHA256_Pad(SHA256_CTX * ctx)197 SHA256_Pad(SHA256_CTX * ctx)
198 {
199 size_t r;
200
201 /* Figure out how many bytes we have buffered. */
202 r = (ctx->count >> 3) & 0x3f;
203
204 /* Pad to 56 mod 64, transforming if we finish a block en route. */
205 if (r < 56) {
206 /* Pad to 56 mod 64. */
207 memcpy(&ctx->buf[r], PAD, 56 - r);
208 } else {
209 /* Finish the current block and mix. */
210 memcpy(&ctx->buf[r], PAD, 64 - r);
211 SHA256_Transform(ctx->state, ctx->buf);
212
213 /* The start of the final block is all zeroes. */
214 memset(&ctx->buf[0], 0, 56);
215 }
216
217 /* Add the terminating bit-count. */
218 be64enc(&ctx->buf[56], ctx->count);
219
220 /* Mix in the final block. */
221 SHA256_Transform(ctx->state, ctx->buf);
222 }
223
224 /* SHA-256 initialization. Begins a SHA-256 operation. */
225 void
SHA256_Init(SHA256_CTX * ctx)226 SHA256_Init(SHA256_CTX * ctx)
227 {
228
229 /* Zero bits processed so far */
230 ctx->count = 0;
231
232 /* Magic initialization constants */
233 ctx->state[0] = 0x6A09E667;
234 ctx->state[1] = 0xBB67AE85;
235 ctx->state[2] = 0x3C6EF372;
236 ctx->state[3] = 0xA54FF53A;
237 ctx->state[4] = 0x510E527F;
238 ctx->state[5] = 0x9B05688C;
239 ctx->state[6] = 0x1F83D9AB;
240 ctx->state[7] = 0x5BE0CD19;
241 }
242
243 /* Add bytes into the hash */
244 void
SHA256_Update(SHA256_CTX * ctx,const void * in,size_t len)245 SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len)
246 {
247 uint64_t bitlen;
248 uint32_t r;
249 const unsigned char *src = in;
250
251 /* Number of bytes left in the buffer from previous updates */
252 r = (ctx->count >> 3) & 0x3f;
253
254 /* Convert the length into a number of bits */
255 bitlen = len << 3;
256
257 /* Update number of bits */
258 ctx->count += bitlen;
259
260 /* Handle the case where we don't need to perform any transforms */
261 if (len < 64 - r) {
262 memcpy(&ctx->buf[r], src, len);
263 return;
264 }
265
266 /* Finish the current block */
267 memcpy(&ctx->buf[r], src, 64 - r);
268 SHA256_Transform(ctx->state, ctx->buf);
269 src += 64 - r;
270 len -= 64 - r;
271
272 /* Perform complete blocks */
273 while (len >= 64) {
274 SHA256_Transform(ctx->state, src);
275 src += 64;
276 len -= 64;
277 }
278
279 /* Copy left over data into buffer */
280 memcpy(ctx->buf, src, len);
281 }
282
283 /*
284 * SHA-256 finalization. Pads the input data, exports the hash value,
285 * and clears the context state.
286 */
287 void
SHA256_Final(unsigned char digest[static SHA256_DIGEST_LENGTH],SHA256_CTX * ctx)288 SHA256_Final(unsigned char digest[static SHA256_DIGEST_LENGTH], SHA256_CTX *ctx)
289 {
290
291 /* Add padding */
292 SHA256_Pad(ctx);
293
294 /* Write the hash */
295 be32enc_vect(digest, ctx->state, SHA256_DIGEST_LENGTH);
296
297 /* Clear the context state */
298 memset(ctx, 0, sizeof(*ctx));
299 }
300
301 #ifdef WEAK_REFS
302 /* When building libmd, provide weak references. Note: this is not
303 activated in the context of compiling these sources for internal
304 use in libcrypt.
305 */
306 #undef SHA256_Init
307 __weak_reference(_libmd_SHA256_Init, SHA256_Init);
308 #undef SHA256_Update
309 __weak_reference(_libmd_SHA256_Update, SHA256_Update);
310 #undef SHA256_Final
311 __weak_reference(_libmd_SHA256_Final, SHA256_Final);
312 #undef SHA256_Transform
313 __weak_reference(_libmd_SHA256_Transform, SHA256_Transform);
314 #endif
315