1143334Scperciva/*- 2143334Scperciva * Copyright 2005 Colin Percival 3143334Scperciva * All rights reserved. 4143334Scperciva * 5143334Scperciva * Redistribution and use in source and binary forms, with or without 6143334Scperciva * modification, are permitted provided that the following conditions 7143334Scperciva * are met: 8143334Scperciva * 1. Redistributions of source code must retain the above copyright 9143334Scperciva * notice, this list of conditions and the following disclaimer. 10143334Scperciva * 2. Redistributions in binary form must reproduce the above copyright 11143334Scperciva * notice, this list of conditions and the following disclaimer in the 12143334Scperciva * documentation and/or other materials provided with the distribution. 13143334Scperciva * 14143334Scperciva * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15143334Scperciva * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16143334Scperciva * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17143334Scperciva * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18143334Scperciva * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19143334Scperciva * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20143334Scperciva * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21143334Scperciva * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22143334Scperciva * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23143334Scperciva * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24143334Scperciva * SUCH DAMAGE. 25143334Scperciva */ 26143334Scperciva 27143334Scperciva#include <sys/cdefs.h> 28143334Scperciva__FBSDID("$FreeBSD$"); 29143334Scperciva 30143334Scperciva#include <sys/endian.h> 31143334Scperciva#include <sys/types.h> 32143334Scperciva 33143334Scperciva#include <string.h> 34143334Scperciva 35143334Scperciva#include "sha256.h" 36143334Scperciva 37143334Scperciva#if BYTE_ORDER == BIG_ENDIAN 38143334Scperciva 39143334Scperciva/* Copy a vector of big-endian uint32_t into a vector of bytes */ 40143334Scperciva#define be32enc_vect(dst, src, len) \ 41143334Scperciva memcpy((void *)dst, (const void *)src, (size_t)len) 42143334Scperciva 43143334Scperciva/* Copy a vector of bytes into a vector of big-endian uint32_t */ 44143334Scperciva#define be32dec_vect(dst, src, len) \ 45143334Scperciva memcpy((void *)dst, (const void *)src, (size_t)len) 46143334Scperciva 47143334Scperciva#else /* BYTE_ORDER != BIG_ENDIAN */ 48143334Scperciva 49143334Scperciva/* 50143334Scperciva * Encode a length len/4 vector of (uint32_t) into a length len vector of 51143334Scperciva * (unsigned char) in big-endian form. Assumes len is a multiple of 4. 52143334Scperciva */ 53143334Scpercivastatic void 54143334Scpercivabe32enc_vect(unsigned char *dst, const uint32_t *src, size_t len) 55143334Scperciva{ 56143334Scperciva size_t i; 57143334Scperciva 58143334Scperciva for (i = 0; i < len / 4; i++) 59143334Scperciva be32enc(dst + i * 4, src[i]); 60143334Scperciva} 61143334Scperciva 62143334Scperciva/* 63143334Scperciva * Decode a big-endian length len vector of (unsigned char) into a length 64143334Scperciva * len/4 vector of (uint32_t). Assumes len is a multiple of 4. 65143334Scperciva */ 66143334Scpercivastatic void 67143334Scpercivabe32dec_vect(uint32_t *dst, const unsigned char *src, size_t len) 68143334Scperciva{ 69143334Scperciva size_t i; 70143334Scperciva 71143334Scperciva for (i = 0; i < len / 4; i++) 72143334Scperciva dst[i] = be32dec(src + i * 4); 73143334Scperciva} 74143334Scperciva 75143334Scperciva#endif /* BYTE_ORDER != BIG_ENDIAN */ 76143334Scperciva 77143334Scperciva/* Elementary functions used by SHA256 */ 78143334Scperciva#define Ch(x, y, z) ((x & (y ^ z)) ^ z) 79143334Scperciva#define Maj(x, y, z) ((x & (y | z)) | (y & z)) 80143334Scperciva#define SHR(x, n) (x >> n) 81143334Scperciva#define ROTR(x, n) ((x >> n) | (x << (32 - n))) 82143334Scperciva#define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) 83143334Scperciva#define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) 84143334Scperciva#define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) 85143334Scperciva#define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) 86143334Scperciva 87143334Scperciva/* SHA256 round function */ 88143334Scperciva#define RND(a, b, c, d, e, f, g, h, k) \ 89143334Scperciva t0 = h + S1(e) + Ch(e, f, g) + k; \ 90143334Scperciva t1 = S0(a) + Maj(a, b, c); \ 91143334Scperciva d += t0; \ 92143334Scperciva h = t0 + t1; 93143334Scperciva 94143334Scperciva/* Adjusted round function for rotating state */ 95143334Scperciva#define RNDr(S, W, i, k) \ 96143334Scperciva RND(S[(64 - i) % 8], S[(65 - i) % 8], \ 97143334Scperciva S[(66 - i) % 8], S[(67 - i) % 8], \ 98143334Scperciva S[(68 - i) % 8], S[(69 - i) % 8], \ 99143334Scperciva S[(70 - i) % 8], S[(71 - i) % 8], \ 100143334Scperciva W[i] + k) 101143334Scperciva 102143334Scperciva/* 103143334Scperciva * SHA256 block compression function. The 256-bit state is transformed via 104143334Scperciva * the 512-bit input block to produce a new state. 105143334Scperciva */ 106143334Scpercivastatic void 107143334ScpercivaSHA256_Transform(uint32_t * state, const unsigned char block[64]) 108143334Scperciva{ 109143334Scperciva uint32_t W[64]; 110143334Scperciva uint32_t S[8]; 111143334Scperciva uint32_t t0, t1; 112143334Scperciva int i; 113143334Scperciva 114143334Scperciva /* 1. Prepare message schedule W. */ 115143334Scperciva be32dec_vect(W, block, 64); 116143334Scperciva for (i = 16; i < 64; i++) 117143334Scperciva W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16]; 118143334Scperciva 119143334Scperciva /* 2. Initialize working variables. */ 120143334Scperciva memcpy(S, state, 32); 121143334Scperciva 122143334Scperciva /* 3. Mix. */ 123143334Scperciva RNDr(S, W, 0, 0x428a2f98); 124143334Scperciva RNDr(S, W, 1, 0x71374491); 125143334Scperciva RNDr(S, W, 2, 0xb5c0fbcf); 126143334Scperciva RNDr(S, W, 3, 0xe9b5dba5); 127143334Scperciva RNDr(S, W, 4, 0x3956c25b); 128143334Scperciva RNDr(S, W, 5, 0x59f111f1); 129143334Scperciva RNDr(S, W, 6, 0x923f82a4); 130143334Scperciva RNDr(S, W, 7, 0xab1c5ed5); 131143334Scperciva RNDr(S, W, 8, 0xd807aa98); 132143334Scperciva RNDr(S, W, 9, 0x12835b01); 133143334Scperciva RNDr(S, W, 10, 0x243185be); 134143334Scperciva RNDr(S, W, 11, 0x550c7dc3); 135143334Scperciva RNDr(S, W, 12, 0x72be5d74); 136143334Scperciva RNDr(S, W, 13, 0x80deb1fe); 137143334Scperciva RNDr(S, W, 14, 0x9bdc06a7); 138143334Scperciva RNDr(S, W, 15, 0xc19bf174); 139143334Scperciva RNDr(S, W, 16, 0xe49b69c1); 140143334Scperciva RNDr(S, W, 17, 0xefbe4786); 141143334Scperciva RNDr(S, W, 18, 0x0fc19dc6); 142143334Scperciva RNDr(S, W, 19, 0x240ca1cc); 143143334Scperciva RNDr(S, W, 20, 0x2de92c6f); 144143334Scperciva RNDr(S, W, 21, 0x4a7484aa); 145143334Scperciva RNDr(S, W, 22, 0x5cb0a9dc); 146143334Scperciva RNDr(S, W, 23, 0x76f988da); 147143334Scperciva RNDr(S, W, 24, 0x983e5152); 148143334Scperciva RNDr(S, W, 25, 0xa831c66d); 149143334Scperciva RNDr(S, W, 26, 0xb00327c8); 150143334Scperciva RNDr(S, W, 27, 0xbf597fc7); 151143334Scperciva RNDr(S, W, 28, 0xc6e00bf3); 152143334Scperciva RNDr(S, W, 29, 0xd5a79147); 153143334Scperciva RNDr(S, W, 30, 0x06ca6351); 154143334Scperciva RNDr(S, W, 31, 0x14292967); 155143334Scperciva RNDr(S, W, 32, 0x27b70a85); 156143334Scperciva RNDr(S, W, 33, 0x2e1b2138); 157143334Scperciva RNDr(S, W, 34, 0x4d2c6dfc); 158143334Scperciva RNDr(S, W, 35, 0x53380d13); 159143334Scperciva RNDr(S, W, 36, 0x650a7354); 160143334Scperciva RNDr(S, W, 37, 0x766a0abb); 161143334Scperciva RNDr(S, W, 38, 0x81c2c92e); 162143334Scperciva RNDr(S, W, 39, 0x92722c85); 163143334Scperciva RNDr(S, W, 40, 0xa2bfe8a1); 164143334Scperciva RNDr(S, W, 41, 0xa81a664b); 165143334Scperciva RNDr(S, W, 42, 0xc24b8b70); 166143334Scperciva RNDr(S, W, 43, 0xc76c51a3); 167143334Scperciva RNDr(S, W, 44, 0xd192e819); 168143334Scperciva RNDr(S, W, 45, 0xd6990624); 169143334Scperciva RNDr(S, W, 46, 0xf40e3585); 170143334Scperciva RNDr(S, W, 47, 0x106aa070); 171143334Scperciva RNDr(S, W, 48, 0x19a4c116); 172143334Scperciva RNDr(S, W, 49, 0x1e376c08); 173143334Scperciva RNDr(S, W, 50, 0x2748774c); 174143334Scperciva RNDr(S, W, 51, 0x34b0bcb5); 175143334Scperciva RNDr(S, W, 52, 0x391c0cb3); 176143334Scperciva RNDr(S, W, 53, 0x4ed8aa4a); 177143334Scperciva RNDr(S, W, 54, 0x5b9cca4f); 178143334Scperciva RNDr(S, W, 55, 0x682e6ff3); 179143334Scperciva RNDr(S, W, 56, 0x748f82ee); 180143334Scperciva RNDr(S, W, 57, 0x78a5636f); 181143334Scperciva RNDr(S, W, 58, 0x84c87814); 182143334Scperciva RNDr(S, W, 59, 0x8cc70208); 183143334Scperciva RNDr(S, W, 60, 0x90befffa); 184143334Scperciva RNDr(S, W, 61, 0xa4506ceb); 185143334Scperciva RNDr(S, W, 62, 0xbef9a3f7); 186143334Scperciva RNDr(S, W, 63, 0xc67178f2); 187143334Scperciva 188143334Scperciva /* 4. Mix local working variables into global state */ 189143334Scperciva for (i = 0; i < 8; i++) 190143334Scperciva state[i] += S[i]; 191143334Scperciva} 192143334Scperciva 193143334Scpercivastatic unsigned char PAD[64] = { 194143334Scperciva 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 195143334Scperciva 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 196143334Scperciva 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 197143334Scperciva 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 198143334Scperciva}; 199143334Scperciva 200143334Scperciva/* Add padding and terminating bit-count. */ 201143334Scpercivastatic void 202143334ScpercivaSHA256_Pad(SHA256_CTX * ctx) 203143334Scperciva{ 204143334Scperciva unsigned char len[8]; 205143334Scperciva uint32_t r, plen; 206143334Scperciva 207143334Scperciva /* 208143334Scperciva * Convert length to a vector of bytes -- we do this now rather 209143334Scperciva * than later because the length will change after we pad. 210143334Scperciva */ 211143334Scperciva be32enc_vect(len, ctx->count, 8); 212143334Scperciva 213143334Scperciva /* Add 1--64 bytes so that the resulting length is 56 mod 64 */ 214143334Scperciva r = (ctx->count[1] >> 3) & 0x3f; 215143334Scperciva plen = (r < 56) ? (56 - r) : (120 - r); 216143334Scperciva SHA256_Update(ctx, PAD, (size_t)plen); 217143334Scperciva 218143334Scperciva /* Add the terminating bit-count */ 219143334Scperciva SHA256_Update(ctx, len, 8); 220143334Scperciva} 221143334Scperciva 222143334Scperciva/* SHA-256 initialization. Begins a SHA-256 operation. */ 223143334Scpercivavoid 224143334ScpercivaSHA256_Init(SHA256_CTX * ctx) 225143334Scperciva{ 226143334Scperciva 227143334Scperciva /* Zero bits processed so far */ 228143334Scperciva ctx->count[0] = ctx->count[1] = 0; 229143334Scperciva 230143334Scperciva /* Magic initialization constants */ 231143334Scperciva ctx->state[0] = 0x6A09E667; 232143334Scperciva ctx->state[1] = 0xBB67AE85; 233143334Scperciva ctx->state[2] = 0x3C6EF372; 234143334Scperciva ctx->state[3] = 0xA54FF53A; 235143334Scperciva ctx->state[4] = 0x510E527F; 236143334Scperciva ctx->state[5] = 0x9B05688C; 237143334Scperciva ctx->state[6] = 0x1F83D9AB; 238143334Scperciva ctx->state[7] = 0x5BE0CD19; 239143334Scperciva} 240143334Scperciva 241143334Scperciva/* Add bytes into the hash */ 242143334Scpercivavoid 243154479SphkSHA256_Update(SHA256_CTX * ctx, const void *in, size_t len) 244143334Scperciva{ 245143334Scperciva uint32_t bitlen[2]; 246143334Scperciva uint32_t r; 247154479Sphk const unsigned char *src = in; 248143334Scperciva 249143334Scperciva /* Number of bytes left in the buffer from previous updates */ 250143334Scperciva r = (ctx->count[1] >> 3) & 0x3f; 251143334Scperciva 252143334Scperciva /* Convert the length into a number of bits */ 253143334Scperciva bitlen[1] = ((uint32_t)len) << 3; 254143334Scperciva bitlen[0] = (uint32_t)(len >> 29); 255143334Scperciva 256143334Scperciva /* Update number of bits */ 257143334Scperciva if ((ctx->count[1] += bitlen[1]) < bitlen[1]) 258143334Scperciva ctx->count[0]++; 259143334Scperciva ctx->count[0] += bitlen[0]; 260143334Scperciva 261143334Scperciva /* Handle the case where we don't need to perform any transforms */ 262143334Scperciva if (len < 64 - r) { 263143334Scperciva memcpy(&ctx->buf[r], src, len); 264143334Scperciva return; 265143334Scperciva } 266143334Scperciva 267143334Scperciva /* Finish the current block */ 268143334Scperciva memcpy(&ctx->buf[r], src, 64 - r); 269143334Scperciva SHA256_Transform(ctx->state, ctx->buf); 270143334Scperciva src += 64 - r; 271143334Scperciva len -= 64 - r; 272143334Scperciva 273143334Scperciva /* Perform complete blocks */ 274143334Scperciva while (len >= 64) { 275143334Scperciva SHA256_Transform(ctx->state, src); 276143334Scperciva src += 64; 277143334Scperciva len -= 64; 278143334Scperciva } 279143334Scperciva 280143334Scperciva /* Copy left over data into buffer */ 281143334Scperciva memcpy(ctx->buf, src, len); 282143334Scperciva} 283143334Scperciva 284143334Scperciva/* 285143334Scperciva * SHA-256 finalization. Pads the input data, exports the hash value, 286143334Scperciva * and clears the context state. 287143334Scperciva */ 288143334Scpercivavoid 289143334ScpercivaSHA256_Final(unsigned char digest[32], SHA256_CTX * ctx) 290143334Scperciva{ 291143334Scperciva 292143334Scperciva /* Add padding */ 293143334Scperciva SHA256_Pad(ctx); 294143334Scperciva 295143334Scperciva /* Write the hash */ 296143334Scperciva be32enc_vect(digest, ctx->state, 32); 297143334Scperciva 298143334Scperciva /* Clear the context state */ 299143334Scperciva memset((void *)ctx, 0, sizeof(*ctx)); 300143334Scperciva} 301