1 /*
2  * FIPS 180-2 SHA-224/256/384/512 implementation
3  * Last update: 02/02/2007
4  * Issue date:  04/30/2005
5  *
6  * Copyright (C) 2005, 2007 Olivier Gay <olivier.gay@a3.epfl.ch>
7  * All rights reserved.
8  *
9  * Copyright (c) 2016, Linaro Limited
10  * All rights reserved.
11  *
12  * Redistribution and use in source and binary forms, with or without
13  * modification, are permitted provided that the following conditions
14  * are met:
15  * 1. Redistributions of source code must retain the above copyright
16  *    notice, this list of conditions and the following disclaimer.
17  * 2. Redistributions in binary form must reproduce the above copyright
18  *    notice, this list of conditions and the following disclaimer in the
19  *    documentation and/or other materials provided with the distribution.
20  * 3. Neither the name of the project nor the names of its contributors
21  *    may be used to endorse or promote products derived from this software
22  *    without specific prior written permission.
23  *
24  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
25  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
28  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34  * SUCH DAMAGE.
35  */
36 
37 #include <string.h>
38 #include "sha2.h"
39 
40 #define SHFR(x, n)    (x >> n)
41 #define ROTR(x, n)   ((x >> n) | (x << ((sizeof(x) << 3) - n)))
42 #define ROTL(x, n)   ((x << n) | (x >> ((sizeof(x) << 3) - n)))
43 #define CH(x, y, z)  ((x & y) ^ (~x & z))
44 #define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
45 
46 #define SHA256_F1(x) (ROTR(x,  2) ^ ROTR(x, 13) ^ ROTR(x, 22))
47 #define SHA256_F2(x) (ROTR(x,  6) ^ ROTR(x, 11) ^ ROTR(x, 25))
48 #define SHA256_F3(x) (ROTR(x,  7) ^ ROTR(x, 18) ^ SHFR(x,  3))
49 #define SHA256_F4(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHFR(x, 10))
50 
51 #define UNPACK32(x, str)                      \
52 {                                             \
53     *((str) + 3) = (uint8) ((x)      );       \
54     *((str) + 2) = (uint8) ((x) >>  8);       \
55     *((str) + 1) = (uint8) ((x) >> 16);       \
56     *((str) + 0) = (uint8) ((x) >> 24);       \
57 }
58 
59 #define PACK32(str, x)                        \
60 {                                             \
61     *(x) =   ((uint32) *((str) + 3)      )    \
62            | ((uint32) *((str) + 2) <<  8)    \
63            | ((uint32) *((str) + 1) << 16)    \
64            | ((uint32) *((str) + 0) << 24);   \
65 }
66 
67 #define UNPACK64(x, str)                      \
68 {                                             \
69     *((str) + 7) = (uint8) ((x)      );       \
70     *((str) + 6) = (uint8) ((x) >>  8);       \
71     *((str) + 5) = (uint8) ((x) >> 16);       \
72     *((str) + 4) = (uint8) ((x) >> 24);       \
73     *((str) + 3) = (uint8) ((x) >> 32);       \
74     *((str) + 2) = (uint8) ((x) >> 40);       \
75     *((str) + 1) = (uint8) ((x) >> 48);       \
76     *((str) + 0) = (uint8) ((x) >> 56);       \
77 }
78 
79 #define PACK64(str, x)                        \
80 {                                             \
81     *(x) =   ((uint64) *((str) + 7)      )    \
82            | ((uint64) *((str) + 6) <<  8)    \
83            | ((uint64) *((str) + 5) << 16)    \
84            | ((uint64) *((str) + 4) << 24)    \
85            | ((uint64) *((str) + 3) << 32)    \
86            | ((uint64) *((str) + 2) << 40)    \
87            | ((uint64) *((str) + 1) << 48)    \
88            | ((uint64) *((str) + 0) << 56);   \
89 }
90 
91 #define SHA256_SCR(i)                         \
92 {                                             \
93     w[i] =  SHA256_F4(w[i -  2]) + w[i -  7]  \
94           + SHA256_F3(w[i - 15]) + w[i - 16]; \
95 }
96 
97 uint32 sha256_h0[8] =
98             {0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
99              0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19};
100 
101 uint32 sha256_k[64] =
102             {0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
103              0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
104              0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
105              0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
106              0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
107              0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
108              0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
109              0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
110              0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
111              0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
112              0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
113              0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
114              0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
115              0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
116              0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
117              0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2};
118 
119 /* SHA-256 functions */
120 
sha256_transf(sha256_ctx * ctx,const unsigned char * message,unsigned int block_nb)121 static void sha256_transf(sha256_ctx *ctx, const unsigned char *message,
122                           unsigned int block_nb)
123 {
124     uint32 w[64] = { 0 };
125     uint32 wv[8] = { 0 };
126     uint32 t1 = 0;
127     uint32 t2 = 0;
128     const unsigned char *sub_block = NULL;
129     int i = 0;
130     int j = 0;
131 
132     for (i = 0; i < (int) block_nb; i++) {
133         sub_block = message + (i << 6);
134 
135         for (j = 0; j < 16; j++) {
136             PACK32(&sub_block[j << 2], &w[j]);
137         }
138 
139         for (j = 16; j < 64; j++) {
140             SHA256_SCR(j);
141         }
142 
143         for (j = 0; j < 8; j++) {
144             wv[j] = ctx->h[j];
145         }
146 
147         for (j = 0; j < 64; j++) {
148             t1 = wv[7] + SHA256_F2(wv[4]) + CH(wv[4], wv[5], wv[6])
149                 + sha256_k[j] + w[j];
150             t2 = SHA256_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
151             wv[7] = wv[6];
152             wv[6] = wv[5];
153             wv[5] = wv[4];
154             wv[4] = wv[3] + t1;
155             wv[3] = wv[2];
156             wv[2] = wv[1];
157             wv[1] = wv[0];
158             wv[0] = t1 + t2;
159         }
160 
161         for (j = 0; j < 8; j++) {
162             ctx->h[j] += wv[j];
163         }
164     }
165 }
166 
sha256(const unsigned char * message,unsigned int len,unsigned char * digest)167 void sha256(const unsigned char *message, unsigned int len,
168 	    unsigned char *digest)
169 {
170     sha256_ctx ctx;
171 
172     memset(&ctx, 0, sizeof(ctx));
173 
174     sha256_init(&ctx);
175     sha256_update(&ctx, message, len);
176     sha256_final(&ctx, digest);
177 }
178 
sha256_init(sha256_ctx * ctx)179 void sha256_init(sha256_ctx *ctx)
180 {
181     int i = 0;
182 
183     for (i = 0; i < 8; i++) {
184         ctx->h[i] = sha256_h0[i];
185     }
186 
187     ctx->len = 0;
188     ctx->tot_len = 0;
189 }
190 
sha256_update(sha256_ctx * ctx,const unsigned char * message,unsigned int len)191 void sha256_update(sha256_ctx *ctx, const unsigned char *message,
192                    unsigned int len)
193 {
194     unsigned int block_nb = 0;
195     unsigned int new_len = 0;
196     unsigned int rem_len = 0;
197     unsigned int tmp_len = 0;
198     const unsigned char *shifted_message = NULL;
199 
200     tmp_len = SHA256_BLOCK_SIZE - ctx->len;
201     rem_len = len < tmp_len ? len : tmp_len;
202 
203     memcpy(&ctx->block[ctx->len], message, rem_len);
204 
205     if (ctx->len + len < SHA256_BLOCK_SIZE) {
206         ctx->len += len;
207         return;
208     }
209 
210     new_len = len - rem_len;
211     block_nb = new_len / SHA256_BLOCK_SIZE;
212 
213     shifted_message = message + rem_len;
214 
215     sha256_transf(ctx, ctx->block, 1);
216     sha256_transf(ctx, shifted_message, block_nb);
217 
218     rem_len = new_len % SHA256_BLOCK_SIZE;
219 
220     memcpy(ctx->block, &shifted_message[block_nb << 6],
221            rem_len);
222 
223     ctx->len = rem_len;
224     ctx->tot_len += (block_nb + 1) << 6;
225 }
226 
sha256_final(sha256_ctx * ctx,unsigned char * digest)227 void sha256_final(sha256_ctx *ctx, unsigned char *digest)
228 {
229     unsigned int block_nb = 0;
230     unsigned int pm_len = 0;
231     unsigned int len_b = 0;
232     int i = 0;
233 
234     block_nb = (1 + ((SHA256_BLOCK_SIZE - 9)
235                      < (ctx->len % SHA256_BLOCK_SIZE)));
236 
237     len_b = (ctx->tot_len + ctx->len) << 3;
238     pm_len = block_nb << 6;
239 
240     memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
241     ctx->block[ctx->len] = 0x80;
242     UNPACK32(len_b, ctx->block + pm_len - 4);
243 
244     sha256_transf(ctx, ctx->block, block_nb);
245 
246     for (i = 0 ; i < 8; i++) {
247         UNPACK32(ctx->h[i], &digest[i << 2]);
248     }
249 }
250