1222613Snwhitehorn//====- SHA256.cpp - SHA256 implementation ---*- C++ -* ======//
2222613Snwhitehorn//
3222613Snwhitehorn// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4222613Snwhitehorn// See https://llvm.org/LICENSE.txt for license information.
5222613Snwhitehorn// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6222613Snwhitehorn//
7222613Snwhitehorn//===----------------------------------------------------------------------===//
8222613Snwhitehorn/*
9222613Snwhitehorn *  The SHA-256 Secure Hash Standard was published by NIST in 2002.
10222613Snwhitehorn *
11222613Snwhitehorn *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
12222613Snwhitehorn *
13222613Snwhitehorn *   The implementation is based on nacl's sha256 implementation [0] and LLVM's
14222613Snwhitehorn *  pre-exsiting SHA1 code [1].
15222613Snwhitehorn *
16222613Snwhitehorn *   [0] https://hyperelliptic.org/nacl/nacl-20110221.tar.bz2 (public domain
17222613Snwhitehorn *       code)
18222613Snwhitehorn *   [1] llvm/lib/Support/SHA1.{h,cpp}
19222613Snwhitehorn */
20222613Snwhitehorn//===----------------------------------------------------------------------===//
21222613Snwhitehorn
22222613Snwhitehorn#include "llvm/Support/SHA256.h"
23222613Snwhitehorn#include "llvm/ADT/ArrayRef.h"
24222613Snwhitehorn#include "llvm/ADT/StringRef.h"
25222613Snwhitehorn#include "llvm/Support/Endian.h"
26222613Snwhitehorn#include "llvm/Support/SwapByteOrder.h"
27222613Snwhitehorn#include <string.h>
28222613Snwhitehorn
29222613Snwhitehornnamespace llvm {
30222613Snwhitehorn
31222613Snwhitehorn#define SHR(x, c) ((x) >> (c))
32222613Snwhitehorn#define ROTR(x, n) (((x) >> n) | ((x) << (32 - (n))))
33222613Snwhitehorn
34222613Snwhitehorn#define CH(x, y, z) (((x) & (y)) ^ (~(x) & (z)))
35222613Snwhitehorn#define MAJ(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
36222613Snwhitehorn
37222613Snwhitehorn#define SIGMA_0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
38222613Snwhitehorn#define SIGMA_1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
39222613Snwhitehorn
40222613Snwhitehorn#define SIGMA_2(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
41222613Snwhitehorn#define SIGMA_3(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
42222613Snwhitehorn
43222613Snwhitehorn#define F_EXPAND(A, B, C, D, E, F, G, H, M1, M2, M3, M4, k)                    \
44222613Snwhitehorn  do {                                                                         \
45222613Snwhitehorn    H += SIGMA_1(E) + CH(E, F, G) + M1 + k;                                    \
46222613Snwhitehorn    D += H;                                                                    \
47222613Snwhitehorn    H += SIGMA_0(A) + MAJ(A, B, C);                                            \
48222613Snwhitehorn    M1 += SIGMA_2(M2) + M3 + SIGMA_3(M4);                                      \
49222613Snwhitehorn  } while (0);
50222613Snwhitehorn
51222613Snwhitehornvoid SHA256::init() {
52222613Snwhitehorn  InternalState.State[0] = 0x6A09E667;
53222613Snwhitehorn  InternalState.State[1] = 0xBB67AE85;
54222613Snwhitehorn  InternalState.State[2] = 0x3C6EF372;
55222613Snwhitehorn  InternalState.State[3] = 0xA54FF53A;
56222613Snwhitehorn  InternalState.State[4] = 0x510E527F;
57222613Snwhitehorn  InternalState.State[5] = 0x9B05688C;
58222613Snwhitehorn  InternalState.State[6] = 0x1F83D9AB;
59222613Snwhitehorn  InternalState.State[7] = 0x5BE0CD19;
60222613Snwhitehorn  InternalState.ByteCount = 0;
61222613Snwhitehorn  InternalState.BufferOffset = 0;
62222613Snwhitehorn}
63222613Snwhitehorn
64222613Snwhitehornvoid SHA256::hashBlock() {
65222613Snwhitehorn  uint32_t A = InternalState.State[0];
66222613Snwhitehorn  uint32_t B = InternalState.State[1];
67222613Snwhitehorn  uint32_t C = InternalState.State[2];
68222613Snwhitehorn  uint32_t D = InternalState.State[3];
69222613Snwhitehorn  uint32_t E = InternalState.State[4];
70222613Snwhitehorn  uint32_t F = InternalState.State[5];
71222613Snwhitehorn  uint32_t G = InternalState.State[6];
72222613Snwhitehorn  uint32_t H = InternalState.State[7];
73222613Snwhitehorn
74222613Snwhitehorn  uint32_t W00 = InternalState.Buffer.L[0];
75222613Snwhitehorn  uint32_t W01 = InternalState.Buffer.L[1];
76222613Snwhitehorn  uint32_t W02 = InternalState.Buffer.L[2];
77222613Snwhitehorn  uint32_t W03 = InternalState.Buffer.L[3];
78222613Snwhitehorn  uint32_t W04 = InternalState.Buffer.L[4];
79222613Snwhitehorn  uint32_t W05 = InternalState.Buffer.L[5];
80222613Snwhitehorn  uint32_t W06 = InternalState.Buffer.L[6];
81222613Snwhitehorn  uint32_t W07 = InternalState.Buffer.L[7];
82222613Snwhitehorn  uint32_t W08 = InternalState.Buffer.L[8];
83222613Snwhitehorn  uint32_t W09 = InternalState.Buffer.L[9];
84222613Snwhitehorn  uint32_t W10 = InternalState.Buffer.L[10];
85222613Snwhitehorn  uint32_t W11 = InternalState.Buffer.L[11];
86222613Snwhitehorn  uint32_t W12 = InternalState.Buffer.L[12];
87222613Snwhitehorn  uint32_t W13 = InternalState.Buffer.L[13];
88222613Snwhitehorn  uint32_t W14 = InternalState.Buffer.L[14];
89222613Snwhitehorn  uint32_t W15 = InternalState.Buffer.L[15];
90223485Snwhitehorn
91223485Snwhitehorn  F_EXPAND(A, B, C, D, E, F, G, H, W00, W14, W09, W01, 0x428A2F98);
92223485Snwhitehorn  F_EXPAND(H, A, B, C, D, E, F, G, W01, W15, W10, W02, 0x71374491);
93223485Snwhitehorn  F_EXPAND(G, H, A, B, C, D, E, F, W02, W00, W11, W03, 0xB5C0FBCF);
94223485Snwhitehorn  F_EXPAND(F, G, H, A, B, C, D, E, W03, W01, W12, W04, 0xE9B5DBA5);
95222613Snwhitehorn  F_EXPAND(E, F, G, H, A, B, C, D, W04, W02, W13, W05, 0x3956C25B);
96222613Snwhitehorn  F_EXPAND(D, E, F, G, H, A, B, C, W05, W03, W14, W06, 0x59F111F1);
97222613Snwhitehorn  F_EXPAND(C, D, E, F, G, H, A, B, W06, W04, W15, W07, 0x923F82A4);
98222613Snwhitehorn  F_EXPAND(B, C, D, E, F, G, H, A, W07, W05, W00, W08, 0xAB1C5ED5);
99222613Snwhitehorn  F_EXPAND(A, B, C, D, E, F, G, H, W08, W06, W01, W09, 0xD807AA98);
100222613Snwhitehorn  F_EXPAND(H, A, B, C, D, E, F, G, W09, W07, W02, W10, 0x12835B01);
101222613Snwhitehorn  F_EXPAND(G, H, A, B, C, D, E, F, W10, W08, W03, W11, 0x243185BE);
102222613Snwhitehorn  F_EXPAND(F, G, H, A, B, C, D, E, W11, W09, W04, W12, 0x550C7DC3);
103222613Snwhitehorn  F_EXPAND(E, F, G, H, A, B, C, D, W12, W10, W05, W13, 0x72BE5D74);
104223485Snwhitehorn  F_EXPAND(D, E, F, G, H, A, B, C, W13, W11, W06, W14, 0x80DEB1FE);
105223485Snwhitehorn  F_EXPAND(C, D, E, F, G, H, A, B, W14, W12, W07, W15, 0x9BDC06A7);
106223485Snwhitehorn  F_EXPAND(B, C, D, E, F, G, H, A, W15, W13, W08, W00, 0xC19BF174);
107222613Snwhitehorn
108222613Snwhitehorn  F_EXPAND(A, B, C, D, E, F, G, H, W00, W14, W09, W01, 0xE49B69C1);
109222613Snwhitehorn  F_EXPAND(H, A, B, C, D, E, F, G, W01, W15, W10, W02, 0xEFBE4786);
110222613Snwhitehorn  F_EXPAND(G, H, A, B, C, D, E, F, W02, W00, W11, W03, 0x0FC19DC6);
111222613Snwhitehorn  F_EXPAND(F, G, H, A, B, C, D, E, W03, W01, W12, W04, 0x240CA1CC);
112222613Snwhitehorn  F_EXPAND(E, F, G, H, A, B, C, D, W04, W02, W13, W05, 0x2DE92C6F);
113222613Snwhitehorn  F_EXPAND(D, E, F, G, H, A, B, C, W05, W03, W14, W06, 0x4A7484AA);
114222613Snwhitehorn  F_EXPAND(C, D, E, F, G, H, A, B, W06, W04, W15, W07, 0x5CB0A9DC);
115222613Snwhitehorn  F_EXPAND(B, C, D, E, F, G, H, A, W07, W05, W00, W08, 0x76F988DA);
116222613Snwhitehorn  F_EXPAND(A, B, C, D, E, F, G, H, W08, W06, W01, W09, 0x983E5152);
117222613Snwhitehorn  F_EXPAND(H, A, B, C, D, E, F, G, W09, W07, W02, W10, 0xA831C66D);
118222613Snwhitehorn  F_EXPAND(G, H, A, B, C, D, E, F, W10, W08, W03, W11, 0xB00327C8);
119222613Snwhitehorn  F_EXPAND(F, G, H, A, B, C, D, E, W11, W09, W04, W12, 0xBF597FC7);
120222613Snwhitehorn  F_EXPAND(E, F, G, H, A, B, C, D, W12, W10, W05, W13, 0xC6E00BF3);
121222613Snwhitehorn  F_EXPAND(D, E, F, G, H, A, B, C, W13, W11, W06, W14, 0xD5A79147);
122222613Snwhitehorn  F_EXPAND(C, D, E, F, G, H, A, B, W14, W12, W07, W15, 0x06CA6351);
123222613Snwhitehorn  F_EXPAND(B, C, D, E, F, G, H, A, W15, W13, W08, W00, 0x14292967);
124222613Snwhitehorn
125222613Snwhitehorn  F_EXPAND(A, B, C, D, E, F, G, H, W00, W14, W09, W01, 0x27B70A85);
126222613Snwhitehorn  F_EXPAND(H, A, B, C, D, E, F, G, W01, W15, W10, W02, 0x2E1B2138);
127222613Snwhitehorn  F_EXPAND(G, H, A, B, C, D, E, F, W02, W00, W11, W03, 0x4D2C6DFC);
128222613Snwhitehorn  F_EXPAND(F, G, H, A, B, C, D, E, W03, W01, W12, W04, 0x53380D13);
129222613Snwhitehorn  F_EXPAND(E, F, G, H, A, B, C, D, W04, W02, W13, W05, 0x650A7354);
130222613Snwhitehorn  F_EXPAND(D, E, F, G, H, A, B, C, W05, W03, W14, W06, 0x766A0ABB);
131222613Snwhitehorn  F_EXPAND(C, D, E, F, G, H, A, B, W06, W04, W15, W07, 0x81C2C92E);
132222613Snwhitehorn  F_EXPAND(B, C, D, E, F, G, H, A, W07, W05, W00, W08, 0x92722C85);
133222613Snwhitehorn  F_EXPAND(A, B, C, D, E, F, G, H, W08, W06, W01, W09, 0xA2BFE8A1);
134222613Snwhitehorn  F_EXPAND(H, A, B, C, D, E, F, G, W09, W07, W02, W10, 0xA81A664B);
135222613Snwhitehorn  F_EXPAND(G, H, A, B, C, D, E, F, W10, W08, W03, W11, 0xC24B8B70);
136222613Snwhitehorn  F_EXPAND(F, G, H, A, B, C, D, E, W11, W09, W04, W12, 0xC76C51A3);
137222613Snwhitehorn  F_EXPAND(E, F, G, H, A, B, C, D, W12, W10, W05, W13, 0xD192E819);
138222613Snwhitehorn  F_EXPAND(D, E, F, G, H, A, B, C, W13, W11, W06, W14, 0xD6990624);
139222613Snwhitehorn  F_EXPAND(C, D, E, F, G, H, A, B, W14, W12, W07, W15, 0xF40E3585);
140222613Snwhitehorn  F_EXPAND(B, C, D, E, F, G, H, A, W15, W13, W08, W00, 0x106AA070);
141222613Snwhitehorn
142222613Snwhitehorn  F_EXPAND(A, B, C, D, E, F, G, H, W00, W14, W09, W01, 0x19A4C116);
143222613Snwhitehorn  F_EXPAND(H, A, B, C, D, E, F, G, W01, W15, W10, W02, 0x1E376C08);
144222613Snwhitehorn  F_EXPAND(G, H, A, B, C, D, E, F, W02, W00, W11, W03, 0x2748774C);
145222613Snwhitehorn  F_EXPAND(F, G, H, A, B, C, D, E, W03, W01, W12, W04, 0x34B0BCB5);
146222613Snwhitehorn  F_EXPAND(E, F, G, H, A, B, C, D, W04, W02, W13, W05, 0x391C0CB3);
147222613Snwhitehorn  F_EXPAND(D, E, F, G, H, A, B, C, W05, W03, W14, W06, 0x4ED8AA4A);
148222613Snwhitehorn  F_EXPAND(C, D, E, F, G, H, A, B, W06, W04, W15, W07, 0x5B9CCA4F);
149222613Snwhitehorn  F_EXPAND(B, C, D, E, F, G, H, A, W07, W05, W00, W08, 0x682E6FF3);
150222613Snwhitehorn  F_EXPAND(A, B, C, D, E, F, G, H, W08, W06, W01, W09, 0x748F82EE);
151222613Snwhitehorn  F_EXPAND(H, A, B, C, D, E, F, G, W09, W07, W02, W10, 0x78A5636F);
152222613Snwhitehorn  F_EXPAND(G, H, A, B, C, D, E, F, W10, W08, W03, W11, 0x84C87814);
153222613Snwhitehorn  F_EXPAND(F, G, H, A, B, C, D, E, W11, W09, W04, W12, 0x8CC70208);
154222613Snwhitehorn  F_EXPAND(E, F, G, H, A, B, C, D, W12, W10, W05, W13, 0x90BEFFFA);
155222613Snwhitehorn  F_EXPAND(D, E, F, G, H, A, B, C, W13, W11, W06, W14, 0xA4506CEB);
156222613Snwhitehorn  F_EXPAND(C, D, E, F, G, H, A, B, W14, W12, W07, W15, 0xBEF9A3F7);
157  F_EXPAND(B, C, D, E, F, G, H, A, W15, W13, W08, W00, 0xC67178F2);
158
159  InternalState.State[0] += A;
160  InternalState.State[1] += B;
161  InternalState.State[2] += C;
162  InternalState.State[3] += D;
163  InternalState.State[4] += E;
164  InternalState.State[5] += F;
165  InternalState.State[6] += G;
166  InternalState.State[7] += H;
167}
168
169void SHA256::addUncounted(uint8_t Data) {
170  if constexpr (sys::IsBigEndianHost)
171    InternalState.Buffer.C[InternalState.BufferOffset] = Data;
172  else
173    InternalState.Buffer.C[InternalState.BufferOffset ^ 3] = Data;
174
175  InternalState.BufferOffset++;
176  if (InternalState.BufferOffset == BLOCK_LENGTH) {
177    hashBlock();
178    InternalState.BufferOffset = 0;
179  }
180}
181
182void SHA256::writebyte(uint8_t Data) {
183  ++InternalState.ByteCount;
184  addUncounted(Data);
185}
186
187void SHA256::update(ArrayRef<uint8_t> Data) {
188  InternalState.ByteCount += Data.size();
189
190  // Finish the current block.
191  if (InternalState.BufferOffset > 0) {
192    const size_t Remainder = std::min<size_t>(
193        Data.size(), BLOCK_LENGTH - InternalState.BufferOffset);
194    for (size_t I = 0; I < Remainder; ++I)
195      addUncounted(Data[I]);
196    Data = Data.drop_front(Remainder);
197  }
198
199  // Fast buffer filling for large inputs.
200  while (Data.size() >= BLOCK_LENGTH) {
201    assert(InternalState.BufferOffset == 0);
202    static_assert(BLOCK_LENGTH % 4 == 0);
203    constexpr size_t BLOCK_LENGTH_32 = BLOCK_LENGTH / 4;
204    for (size_t I = 0; I < BLOCK_LENGTH_32; ++I)
205      InternalState.Buffer.L[I] = support::endian::read32be(&Data[I * 4]);
206    hashBlock();
207    Data = Data.drop_front(BLOCK_LENGTH);
208  }
209
210  // Finish the remainder.
211  for (uint8_t C : Data)
212    addUncounted(C);
213}
214
215void SHA256::update(StringRef Str) {
216  update(
217      ArrayRef<uint8_t>((uint8_t *)const_cast<char *>(Str.data()), Str.size()));
218}
219
220void SHA256::pad() {
221  // Implement SHA-2 padding (fips180-2 5.1.1)
222
223  // Pad with 0x80 followed by 0x00 until the end of the block
224  addUncounted(0x80);
225  while (InternalState.BufferOffset != 56)
226    addUncounted(0x00);
227
228  uint64_t len = InternalState.ByteCount << 3; // bit size
229
230  // Append length in the last 8 bytes big edian encoded
231  addUncounted(len >> 56);
232  addUncounted(len >> 48);
233  addUncounted(len >> 40);
234  addUncounted(len >> 32);
235  addUncounted(len >> 24);
236  addUncounted(len >> 16);
237  addUncounted(len >> 8);
238  addUncounted(len);
239}
240
241void SHA256::final(std::array<uint32_t, HASH_LENGTH / 4> &HashResult) {
242  // Pad to complete the last block
243  pad();
244
245  if constexpr (sys::IsBigEndianHost) {
246    // Just copy the current state
247    for (int i = 0; i < 8; i++) {
248      HashResult[i] = InternalState.State[i];
249    }
250  } else {
251    // Swap byte order back
252    for (int i = 0; i < 8; i++) {
253      HashResult[i] = sys::getSwappedBytes(InternalState.State[i]);
254    }
255  }
256}
257
258std::array<uint8_t, 32> SHA256::final() {
259  union {
260    std::array<uint32_t, HASH_LENGTH / 4> HashResult;
261    std::array<uint8_t, HASH_LENGTH> ReturnResult;
262  };
263  static_assert(sizeof(HashResult) == sizeof(ReturnResult));
264  final(HashResult);
265  return ReturnResult;
266}
267
268std::array<uint8_t, 32> SHA256::result() {
269  auto StateToRestore = InternalState;
270
271  auto Hash = final();
272
273  // Restore the state
274  InternalState = StateToRestore;
275
276  // Return pointer to hash (32 characters)
277  return Hash;
278}
279
280std::array<uint8_t, 32> SHA256::hash(ArrayRef<uint8_t> Data) {
281  SHA256 Hash;
282  Hash.update(Data);
283  return Hash.final();
284}
285
286} // namespace llvm
287