1 /*
2 * FIPS 180-2 SHA-224/256/384/512 implementation
3 * Last update: 02/02/2007
4 * Issue date: 04/30/2005
5 *
6 * Copyright (C) 2005, 2007 Olivier Gay <olivier.gay@a3.epfl.ch>
7 * All rights reserved.
8 *
9 * Copyright (c) 2016, Linaro Limited
10 * All rights reserved.
11 *
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
14 * are met:
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
20 * 3. Neither the name of the project nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37 #include <string.h>
38 #include "sha2.h"
39
40 #define SHFR(x, n) (x >> n)
41 #define ROTR(x, n) ((x >> n) | (x << ((sizeof(x) << 3) - n)))
42 #define ROTL(x, n) ((x << n) | (x >> ((sizeof(x) << 3) - n)))
43 #define CH(x, y, z) ((x & y) ^ (~x & z))
44 #define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
45
46 #define SHA256_F1(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
47 #define SHA256_F2(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
48 #define SHA256_F3(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHFR(x, 3))
49 #define SHA256_F4(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHFR(x, 10))
50
51 #define UNPACK32(x, str) \
52 { \
53 *((str) + 3) = (uint8) ((x) ); \
54 *((str) + 2) = (uint8) ((x) >> 8); \
55 *((str) + 1) = (uint8) ((x) >> 16); \
56 *((str) + 0) = (uint8) ((x) >> 24); \
57 }
58
59 #define PACK32(str, x) \
60 { \
61 *(x) = ((uint32) *((str) + 3) ) \
62 | ((uint32) *((str) + 2) << 8) \
63 | ((uint32) *((str) + 1) << 16) \
64 | ((uint32) *((str) + 0) << 24); \
65 }
66
67 #define UNPACK64(x, str) \
68 { \
69 *((str) + 7) = (uint8) ((x) ); \
70 *((str) + 6) = (uint8) ((x) >> 8); \
71 *((str) + 5) = (uint8) ((x) >> 16); \
72 *((str) + 4) = (uint8) ((x) >> 24); \
73 *((str) + 3) = (uint8) ((x) >> 32); \
74 *((str) + 2) = (uint8) ((x) >> 40); \
75 *((str) + 1) = (uint8) ((x) >> 48); \
76 *((str) + 0) = (uint8) ((x) >> 56); \
77 }
78
79 #define PACK64(str, x) \
80 { \
81 *(x) = ((uint64) *((str) + 7) ) \
82 | ((uint64) *((str) + 6) << 8) \
83 | ((uint64) *((str) + 5) << 16) \
84 | ((uint64) *((str) + 4) << 24) \
85 | ((uint64) *((str) + 3) << 32) \
86 | ((uint64) *((str) + 2) << 40) \
87 | ((uint64) *((str) + 1) << 48) \
88 | ((uint64) *((str) + 0) << 56); \
89 }
90
91 #define SHA256_SCR(i) \
92 { \
93 w[i] = SHA256_F4(w[i - 2]) + w[i - 7] \
94 + SHA256_F3(w[i - 15]) + w[i - 16]; \
95 }
96
97 uint32 sha256_h0[8] =
98 {0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
99 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19};
100
101 uint32 sha256_k[64] =
102 {0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
103 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
104 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
105 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
106 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
107 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
108 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
109 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
110 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
111 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
112 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
113 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
114 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
115 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
116 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
117 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2};
118
119 /* SHA-256 functions */
120
sha256_transf(sha256_ctx * ctx,const unsigned char * message,unsigned int block_nb)121 static void sha256_transf(sha256_ctx *ctx, const unsigned char *message,
122 unsigned int block_nb)
123 {
124 uint32 w[64] = { 0 };
125 uint32 wv[8] = { 0 };
126 uint32 t1 = 0;
127 uint32 t2 = 0;
128 const unsigned char *sub_block = NULL;
129 int i = 0;
130 int j = 0;
131
132 for (i = 0; i < (int) block_nb; i++) {
133 sub_block = message + (i << 6);
134
135 for (j = 0; j < 16; j++) {
136 PACK32(&sub_block[j << 2], &w[j]);
137 }
138
139 for (j = 16; j < 64; j++) {
140 SHA256_SCR(j);
141 }
142
143 for (j = 0; j < 8; j++) {
144 wv[j] = ctx->h[j];
145 }
146
147 for (j = 0; j < 64; j++) {
148 t1 = wv[7] + SHA256_F2(wv[4]) + CH(wv[4], wv[5], wv[6])
149 + sha256_k[j] + w[j];
150 t2 = SHA256_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
151 wv[7] = wv[6];
152 wv[6] = wv[5];
153 wv[5] = wv[4];
154 wv[4] = wv[3] + t1;
155 wv[3] = wv[2];
156 wv[2] = wv[1];
157 wv[1] = wv[0];
158 wv[0] = t1 + t2;
159 }
160
161 for (j = 0; j < 8; j++) {
162 ctx->h[j] += wv[j];
163 }
164 }
165 }
166
sha256(const unsigned char * message,unsigned int len,unsigned char * digest)167 void sha256(const unsigned char *message, unsigned int len,
168 unsigned char *digest)
169 {
170 sha256_ctx ctx;
171
172 memset(&ctx, 0, sizeof(ctx));
173
174 sha256_init(&ctx);
175 sha256_update(&ctx, message, len);
176 sha256_final(&ctx, digest);
177 }
178
sha256_init(sha256_ctx * ctx)179 void sha256_init(sha256_ctx *ctx)
180 {
181 int i = 0;
182
183 for (i = 0; i < 8; i++) {
184 ctx->h[i] = sha256_h0[i];
185 }
186
187 ctx->len = 0;
188 ctx->tot_len = 0;
189 }
190
sha256_update(sha256_ctx * ctx,const unsigned char * message,unsigned int len)191 void sha256_update(sha256_ctx *ctx, const unsigned char *message,
192 unsigned int len)
193 {
194 unsigned int block_nb = 0;
195 unsigned int new_len = 0;
196 unsigned int rem_len = 0;
197 unsigned int tmp_len = 0;
198 const unsigned char *shifted_message = NULL;
199
200 tmp_len = SHA256_BLOCK_SIZE - ctx->len;
201 rem_len = len < tmp_len ? len : tmp_len;
202
203 memcpy(&ctx->block[ctx->len], message, rem_len);
204
205 if (ctx->len + len < SHA256_BLOCK_SIZE) {
206 ctx->len += len;
207 return;
208 }
209
210 new_len = len - rem_len;
211 block_nb = new_len / SHA256_BLOCK_SIZE;
212
213 shifted_message = message + rem_len;
214
215 sha256_transf(ctx, ctx->block, 1);
216 sha256_transf(ctx, shifted_message, block_nb);
217
218 rem_len = new_len % SHA256_BLOCK_SIZE;
219
220 memcpy(ctx->block, &shifted_message[block_nb << 6],
221 rem_len);
222
223 ctx->len = rem_len;
224 ctx->tot_len += (block_nb + 1) << 6;
225 }
226
sha256_final(sha256_ctx * ctx,unsigned char * digest)227 void sha256_final(sha256_ctx *ctx, unsigned char *digest)
228 {
229 unsigned int block_nb = 0;
230 unsigned int pm_len = 0;
231 unsigned int len_b = 0;
232 int i = 0;
233
234 block_nb = (1 + ((SHA256_BLOCK_SIZE - 9)
235 < (ctx->len % SHA256_BLOCK_SIZE)));
236
237 len_b = (ctx->tot_len + ctx->len) << 3;
238 pm_len = block_nb << 6;
239
240 memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
241 ctx->block[ctx->len] = 0x80;
242 UNPACK32(len_b, ctx->block + pm_len - 4);
243
244 sha256_transf(ctx, ctx->block, block_nb);
245
246 for (i = 0 ; i < 8; i++) {
247 UNPACK32(ctx->h[i], &digest[i << 2]);
248 }
249 }
250