1 /*
2 * This file is part of the openHiTLS project.
3 *
4 * openHiTLS is licensed under the Mulan PSL v2.
5 * You can use this software according to the terms and conditions of the Mulan PSL v2.
6 * You may obtain a copy of Mulan PSL v2 at:
7 *
8 * http://license.coscl.org.cn/MulanPSL2
9 *
10 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
11 * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
12 * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
13 * See the Mulan PSL v2 for more details.
14 */
15
16 #include "hitls_build.h"
17 #if defined(HITLS_CRYPTO_SHA256) && !defined(HITLS_CRYPTO_SHA256_SMALL_MEM)
18
19 #include "crypt_sha2.h"
20 #include "crypt_utils.h"
21 #include "sha2_core.h"
22
23 static const uint32_t K256[64] = {
24 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
25 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
26 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
27 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
28 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
29 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
30 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
31 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
32 };
33 #define ROTR32(x, n) (((x) << (32 - (n))) | ((x) >> (n))) // Assumes that x is uint32_t and 0 < n < 32
34
35 #define S0(x) (ROTR32((x), 7) ^ ROTR32((x), 18) ^ ((x) >> 3))
36 #define S1(x) (ROTR32((x), 17) ^ ROTR32((x), 19) ^ ((x) >> 10))
37
38 #define R(w, t) \
39 (S1((w)[(t) - 2]) + (w)[(t) - 7] + \
40 S0((w)[(t) - 15]) + (w)[(t) - 16])
41
42 #define ROUND(a, b, c, d, e, f, g, h, i, k) \
43 do { \
44 /* constants: 6, 11, 25 */ \
45 (h) += (ROTR32((e), 6) ^ ROTR32((e), 11) ^ ROTR32((e), 25)) + \
46 ((g) ^ ((e) & ((f) ^ (g)))) + (k) + (i); \
47 (d) += (h); \
48 /* constants: 2, 13, 22 */ \
49 (h) += (ROTR32((a), 2) ^ ROTR32((a), 13) ^ ROTR32((a), 22)) + \
50 (((a) & ((b) | (c))) | ((b) & (c))); \
51 } while (0)
52
CompressBlock(uint32_t state[8],const uint8_t block[CRYPT_SHA2_256_BLOCKSIZE])53 static void CompressBlock(uint32_t state[8], const uint8_t block[CRYPT_SHA2_256_BLOCKSIZE])
54 {
55 uint32_t w[64];
56
57 // RFC 6.2.1. Prepare the message schedule w:
58 // For t = 0 to 15
59 // Wt = M(i)t
60 for (unsigned i = 0; i < 16; i++) { // 16 rounds to prepare the message schedule
61 w[i] = GET_UINT32_BE(block, 4 * (i)); /* 4 means bytes of uint32_t */
62 }
63
64 // For t = 16 to 63
65 // Wt = SSIG1(w(t-2)) + w(t-7) + SSIG0(t-15) + w(t-16)
66 // @perf: speed up about 18% than expanded in x86_64
67
68 // RFC 6.2.2. Initialize the working variables:
69 // a, b, ..., g, h = H(i-1)[0..7]
70 uint32_t a = state[0];
71 uint32_t b = state[1];
72 uint32_t c = state[2];
73 uint32_t d = state[3];
74 uint32_t e = state[4];
75 uint32_t f = state[5];
76 uint32_t g = state[6];
77 uint32_t h = state[7];
78
79 // RFC 6.2.3. Perform the main hash computation:
80 for (unsigned i = 0; i < 16; i += 8) { /* 0 ~ 16 rounds to do hash computation, 8 rounds pre loop */
81 ROUND(a, b, c, d, e, f, g, h, w[i + 0], K256[i + 0]);
82 ROUND(h, a, b, c, d, e, f, g, w[i + 1], K256[i + 1]);
83 ROUND(g, h, a, b, c, d, e, f, w[i + 2], K256[i + 2]);
84 ROUND(f, g, h, a, b, c, d, e, w[i + 3], K256[i + 3]);
85 ROUND(e, f, g, h, a, b, c, d, w[i + 4], K256[i + 4]);
86 ROUND(d, e, f, g, h, a, b, c, w[i + 5], K256[i + 5]);
87 ROUND(c, d, e, f, g, h, a, b, w[i + 6], K256[i + 6]);
88 ROUND(b, c, d, e, f, g, h, a, w[i + 7], K256[i + 7]);
89 }
90
91 for (unsigned i = 16; i < 64; i += 8) { /* 16 ~ 64 rounds to do hash computation, 8 rounds pre loop */
92 w[i + 0] = R(w, i + 0);
93 ROUND(a, b, c, d, e, f, g, h, w[i + 0], K256[i + 0]);
94 w[i + 1] = R(w, i + 1);
95 ROUND(h, a, b, c, d, e, f, g, w[i + 1], K256[i + 1]);
96 w[i + 2] = R(w, i + 2);
97 ROUND(g, h, a, b, c, d, e, f, w[i + 2], K256[i + 2]);
98 w[i + 3] = R(w, i + 3);
99 ROUND(f, g, h, a, b, c, d, e, w[i + 3], K256[i + 3]);
100 w[i + 4] = R(w, i + 4);
101 ROUND(e, f, g, h, a, b, c, d, w[i + 4], K256[i + 4]);
102 w[i + 5] = R(w, i + 5);
103 ROUND(d, e, f, g, h, a, b, c, w[i + 5], K256[i + 5]);
104 w[i + 6] = R(w, i + 6);
105 ROUND(c, d, e, f, g, h, a, b, w[i + 6], K256[i + 6]);
106 w[i + 7] = R(w, i + 7);
107 ROUND(b, c, d, e, f, g, h, a, w[i + 7], K256[i + 7]);
108 }
109
110 // RFC 6.2.4. Compute the intermediate hash value H(i):
111 // H(i) = [a, b, ..., g, h] + H(i-1)[0..7]
112 state[0] += a;
113 state[1] += b;
114 state[2] += c;
115 state[3] += d;
116 state[4] += e;
117 state[5] += f;
118 state[6] += g;
119 state[7] += h;
120 }
121 #undef ROTR32
122 #undef ROUND
123
SHA256CompressMultiBlocks(uint32_t hash[8],const uint8_t * in,uint32_t num)124 void SHA256CompressMultiBlocks(uint32_t hash[8], const uint8_t *in, uint32_t num)
125 {
126 uint32_t n = num;
127 const uint8_t *p = in;
128 while (n > 0) {
129 CompressBlock(hash, p);
130 p += CRYPT_SHA2_256_BLOCKSIZE;
131 n--;
132 }
133 }
134 #endif // HITLS_CRYPTO_SHA256 && !HITLS_CRYPTO_SHA256_SMALL_MEM
135