1/* 2 * Copyright 2005 Colin Percival 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27#include <sys/cdefs.h> 28__FBSDID("$FreeBSD$"); 29 30#include <sys/types.h> 31 32#ifdef _KERNEL 33#include <sys/systm.h> 34#else 35#include <string.h> 36#endif 37 38 39#include <sys/byteorder.h> 40#include <sys/endian.h> 41#include "sha224.h" 42#include "sha256.h" 43 44#if BYTE_ORDER == BIG_ENDIAN 45 46/* Copy a vector of big-endian uint32_t into a vector of bytes */ 47#define be32enc_vect(dst, src, len) \ 48 memcpy((void *)dst, (const void *)src, (size_t)len) 49 50/* Copy a vector of bytes into a vector of big-endian uint32_t */ 51#define be32dec_vect(dst, src, len) \ 52 memcpy((void *)dst, (const void *)src, (size_t)len) 53 54#else /* BYTE_ORDER != BIG_ENDIAN */ 55 56/* 57 * Encode a length len/4 vector of (uint32_t) into a length len vector of 58 * (unsigned char) in big-endian form. Assumes len is a multiple of 4. 59 */ 60static void 61be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len) 62{ 63 size_t i; 64 65 for (i = 0; i < len / 4; i++) 66 be32enc(dst + i * 4, src[i]); 67} 68 69/* 70 * Decode a big-endian length len vector of (unsigned char) into a length 71 * len/4 vector of (uint32_t). Assumes len is a multiple of 4. 72 */ 73static void 74be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len) 75{ 76 size_t i; 77 78 for (i = 0; i < len / 4; i++) 79 dst[i] = be32dec(src + i * 4); 80} 81 82#endif /* BYTE_ORDER != BIG_ENDIAN */ 83 84/* SHA256 round constants. */ 85static const uint32_t K[64] = { 86 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 87 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 88 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 89 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 90 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 91 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 92 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 93 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 94 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 95 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 96 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 97 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 98 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 99 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 100 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 101 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 102}; 103 104/* Elementary functions used by SHA256 */ 105#define Ch(x, y, z) ((x & (y ^ z)) ^ z) 106#define Maj(x, y, z) ((x & (y | z)) | (y & z)) 107#define SHR(x, n) (x >> n) 108#define ROTR(x, n) ((x >> n) | (x << (32 - n))) 109#define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) 110#define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) 111#define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) 112#define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) 113 114/* SHA256 round function */ 115#define RND(a, b, c, d, e, f, g, h, k) \ 116 h += S1(e) + Ch(e, f, g) + k; \ 117 d += h; \ 118 h += S0(a) + Maj(a, b, c); 119 120/* Adjusted round function for rotating state */ 121#define RNDr(S, W, i, ii) \ 122 RND(S[(64 - i) % 8], S[(65 - i) % 8], \ 123 S[(66 - i) % 8], S[(67 - i) % 8], \ 124 S[(68 - i) % 8], S[(69 - i) % 8], \ 125 S[(70 - i) % 8], S[(71 - i) % 8], \ 126 W[i + ii] + K[i + ii]) 127 128/* Message schedule computation */ 129#define MSCH(W, ii, i) \ 130 W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + \ 131 s0(W[i + ii + 1]) + W[i + ii] 132 133/* 134 * SHA256 block compression function. The 256-bit state is transformed via 135 * the 512-bit input block to produce a new state. 136 */ 137static void 138SHA256_Transform(uint32_t *state, const unsigned char block[64]) 139{ 140 uint32_t W[64]; 141 uint32_t S[8]; 142 int i; 143 144 /* 1. Prepare the first part of the message schedule W. */ 145 be32dec_vect(W, block, 64); 146 147 /* 2. Initialize working variables. */ 148 memcpy(S, state, 32); 149 150 /* 3. Mix. */ 151 for (i = 0; i < 64; i += 16) { 152 RNDr(S, W, 0, i); 153 RNDr(S, W, 1, i); 154 RNDr(S, W, 2, i); 155 RNDr(S, W, 3, i); 156 RNDr(S, W, 4, i); 157 RNDr(S, W, 5, i); 158 RNDr(S, W, 6, i); 159 RNDr(S, W, 7, i); 160 RNDr(S, W, 8, i); 161 RNDr(S, W, 9, i); 162 RNDr(S, W, 10, i); 163 RNDr(S, W, 11, i); 164 RNDr(S, W, 12, i); 165 RNDr(S, W, 13, i); 166 RNDr(S, W, 14, i); 167 RNDr(S, W, 15, i); 168 169 if (i == 48) 170 break; 171 MSCH(W, 0, i); 172 MSCH(W, 1, i); 173 MSCH(W, 2, i); 174 MSCH(W, 3, i); 175 MSCH(W, 4, i); 176 MSCH(W, 5, i); 177 MSCH(W, 6, i); 178 MSCH(W, 7, i); 179 MSCH(W, 8, i); 180 MSCH(W, 9, i); 181 MSCH(W, 10, i); 182 MSCH(W, 11, i); 183 MSCH(W, 12, i); 184 MSCH(W, 13, i); 185 MSCH(W, 14, i); 186 MSCH(W, 15, i); 187 } 188 189 /* 4. Mix local working variables into global state */ 190 for (i = 0; i < 8; i++) 191 state[i] += S[i]; 192} 193 194static unsigned char PAD[64] = { 195 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 196 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 197 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 198 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 199}; 200 201/* Add padding and terminating bit-count. */ 202static void 203SHA256_Pad(SHA256_CTX * ctx) 204{ 205 size_t r; 206 207 /* Figure out how many bytes we have buffered. */ 208 r = (ctx->count >> 3) & 0x3f; 209 210 /* Pad to 56 mod 64, transforming if we finish a block en route. */ 211 if (r < 56) { 212 /* Pad to 56 mod 64. */ 213 memcpy(&ctx->buf[r], PAD, 56 - r); 214 } else { 215 /* Finish the current block and mix. */ 216 memcpy(&ctx->buf[r], PAD, 64 - r); 217 SHA256_Transform(ctx->state, ctx->buf); 218 219 /* The start of the final block is all zeroes. */ 220 memset(&ctx->buf[0], 0, 56); 221 } 222 223 /* Add the terminating bit-count. */ 224 be64enc(&ctx->buf[56], ctx->count); 225 226 /* Mix in the final block. */ 227 SHA256_Transform(ctx->state, ctx->buf); 228} 229 230/* SHA-256 initialization. Begins a SHA-256 operation. */ 231void 232SHA256_Init(SHA256_CTX * ctx) 233{ 234 235 /* Zero bits processed so far */ 236 ctx->count = 0; 237 238 /* Magic initialization constants */ 239 ctx->state[0] = 0x6A09E667; 240 ctx->state[1] = 0xBB67AE85; 241 ctx->state[2] = 0x3C6EF372; 242 ctx->state[3] = 0xA54FF53A; 243 ctx->state[4] = 0x510E527F; 244 ctx->state[5] = 0x9B05688C; 245 ctx->state[6] = 0x1F83D9AB; 246 ctx->state[7] = 0x5BE0CD19; 247} 248 249/* Add bytes into the hash */ 250void 251SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len) 252{ 253 uint64_t bitlen; 254 uint32_t r; 255 const unsigned char *src = in; 256 257 /* Number of bytes left in the buffer from previous updates */ 258 r = (ctx->count >> 3) & 0x3f; 259 260 /* Convert the length into a number of bits */ 261 bitlen = len << 3; 262 263 /* Update number of bits */ 264 ctx->count += bitlen; 265 266 /* Handle the case where we don't need to perform any transforms */ 267 if (len < 64 - r) { 268 memcpy(&ctx->buf[r], src, len); 269 return; 270 } 271 272 /* Finish the current block */ 273 memcpy(&ctx->buf[r], src, 64 - r); 274 SHA256_Transform(ctx->state, ctx->buf); 275 src += 64 - r; 276 len -= 64 - r; 277 278 /* Perform complete blocks */ 279 while (len >= 64) { 280 SHA256_Transform(ctx->state, src); 281 src += 64; 282 len -= 64; 283 } 284 285 /* Copy left over data into buffer */ 286 memcpy(ctx->buf, src, len); 287} 288 289/* 290 * SHA-256 finalization. Pads the input data, exports the hash value, 291 * and clears the context state. 292 */ 293void 294SHA256_Final(unsigned char digest[static SHA256_DIGEST_LENGTH], SHA256_CTX *ctx) 295{ 296 297 /* Add padding */ 298 SHA256_Pad(ctx); 299 300 /* Write the hash */ 301 be32enc_vect(digest, ctx->state, SHA256_DIGEST_LENGTH); 302 303 /* Clear the context state */ 304 explicit_bzero(ctx, sizeof (*ctx)); 305} 306 307/* SHA-224: ******************************************************* */ 308/* 309 * the SHA224 and SHA256 transforms are identical 310 */ 311 312/* SHA-224 initialization. Begins a SHA-224 operation. */ 313void 314SHA224_Init(SHA224_CTX * ctx) 315{ 316 317 /* Zero bits processed so far */ 318 ctx->count = 0; 319 320 /* Magic initialization constants */ 321 ctx->state[0] = 0xC1059ED8; 322 ctx->state[1] = 0x367CD507; 323 ctx->state[2] = 0x3070DD17; 324 ctx->state[3] = 0xF70E5939; 325 ctx->state[4] = 0xFFC00B31; 326 ctx->state[5] = 0x68581511; 327 ctx->state[6] = 0x64f98FA7; 328 ctx->state[7] = 0xBEFA4FA4; 329} 330 331/* Add bytes into the SHA-224 hash */ 332void 333SHA224_Update(SHA224_CTX * ctx, const void *in, size_t len) 334{ 335 336 SHA256_Update((SHA256_CTX *)ctx, in, len); 337} 338 339/* 340 * SHA-224 finalization. Pads the input data, exports the hash value, 341 * and clears the context state. 342 */ 343void 344SHA224_Final(unsigned char digest[static SHA224_DIGEST_LENGTH], SHA224_CTX *ctx) 345{ 346 347 /* Add padding */ 348 SHA256_Pad((SHA256_CTX *)ctx); 349 350 /* Write the hash */ 351 be32enc_vect(digest, ctx->state, SHA224_DIGEST_LENGTH); 352 353 /* Clear the context state */ 354 explicit_bzero(ctx, sizeof (*ctx)); 355} 356 357#ifdef WEAK_REFS 358/* 359 * When building libmd, provide weak references. Note: this is not 360 * activated in the context of compiling these sources for internal 361 * use in libcrypt. 362 */ 363#undef SHA256_Init 364__weak_reference(_libmd_SHA256_Init, SHA256_Init); 365#undef SHA256_Update 366__weak_reference(_libmd_SHA256_Update, SHA256_Update); 367#undef SHA256_Final 368__weak_reference(_libmd_SHA256_Final, SHA256_Final); 369#undef SHA256_Transform 370__weak_reference(_libmd_SHA256_Transform, SHA256_Transform); 371 372#undef SHA224_Init 373__weak_reference(_libmd_SHA224_Init, SHA224_Init); 374#undef SHA224_Update 375__weak_reference(_libmd_SHA224_Update, SHA224_Update); 376#undef SHA224_Final 377__weak_reference(_libmd_SHA224_Final, SHA224_Final); 378#endif 379