1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* lib/crypto/builtin/sha2/sha256.c - SHA-256 implementation */
3 /*
4 * Copyright (c) 2006 Kungliga Tekniska Högskolan
5 * (Royal Institute of Technology, Stockholm, Sweden).
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "sha2.h"
37
38 #ifdef K5_BUILTIN_SHA2
39
40 #ifdef K5_BE
41 #define WORDS_BIGENDIAN
42 #endif
43
44 #ifndef min
45 #define min(a,b) (((a)>(b))?(b):(a))
46 #endif
47
48 /* Vector Crays doesn't have a good 32-bit type, or more precisely,
49 * int32_t as defined by <bind/bitypes.h> isn't 32 bits, and we don't
50 * want to depend in being able to redefine this type. To cope with
51 * this we have to clamp the result in some places to [0,2^32); no
52 * need to do this on other machines. Did I say this was a mess?
53 */
54
55 #ifdef _CRAY
56 #define CRAYFIX(X) ((X) & 0xffffffff)
57 #else
58 #define CRAYFIX(X) (X)
59 #endif
60
61 static inline uint32_t
cshift(uint32_t x,unsigned int n)62 cshift (uint32_t x, unsigned int n)
63 {
64 x = CRAYFIX(x);
65 return CRAYFIX((x << n) | (x >> (32 - n)));
66 }
67
68 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
69 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
70
71 #define ROTR(x,n) (((x)>>(n)) | ((x) << (32 - (n))))
72
73 #define Sigma0(x) (ROTR(x,2) ^ ROTR(x,13) ^ ROTR(x,22))
74 #define Sigma1(x) (ROTR(x,6) ^ ROTR(x,11) ^ ROTR(x,25))
75 #define sigma0(x) (ROTR(x,7) ^ ROTR(x,18) ^ ((x)>>3))
76 #define sigma1(x) (ROTR(x,17) ^ ROTR(x,19) ^ ((x)>>10))
77
78 #define A m->counter[0]
79 #define B m->counter[1]
80 #define C m->counter[2]
81 #define D m->counter[3]
82 #define E m->counter[4]
83 #define F m->counter[5]
84 #define G m->counter[6]
85 #define H m->counter[7]
86
87 static const uint32_t constant_256[64] = {
88 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
89 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
90 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
91 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
92 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
93 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
94 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
95 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
96 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
97 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
98 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
99 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
100 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
101 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
102 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
103 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
104 };
105
106 void
k5_sha256_init(SHA256_CTX * m)107 k5_sha256_init(SHA256_CTX *m)
108 {
109 m->sz[0] = 0;
110 m->sz[1] = 0;
111 A = 0x6a09e667;
112 B = 0xbb67ae85;
113 C = 0x3c6ef372;
114 D = 0xa54ff53a;
115 E = 0x510e527f;
116 F = 0x9b05688c;
117 G = 0x1f83d9ab;
118 H = 0x5be0cd19;
119 }
120
121 static void
calc(SHA256_CTX * m,uint32_t * in)122 calc(SHA256_CTX *m, uint32_t *in)
123 {
124 uint32_t AA, BB, CC, DD, EE, FF, GG, HH;
125 uint32_t data[64];
126 int i;
127
128 AA = A;
129 BB = B;
130 CC = C;
131 DD = D;
132 EE = E;
133 FF = F;
134 GG = G;
135 HH = H;
136
137 for (i = 0; i < 16; ++i)
138 data[i] = in[i];
139 for (i = 16; i < 64; ++i)
140 data[i] = sigma1(data[i-2]) + data[i-7] +
141 sigma0(data[i-15]) + data[i - 16];
142
143 for (i = 0; i < 64; i++) {
144 uint32_t T1, T2;
145
146 T1 = HH + Sigma1(EE) + Ch(EE, FF, GG) + constant_256[i] + data[i];
147 T2 = Sigma0(AA) + Maj(AA,BB,CC);
148
149 HH = GG;
150 GG = FF;
151 FF = EE;
152 EE = DD + T1;
153 DD = CC;
154 CC = BB;
155 BB = AA;
156 AA = T1 + T2;
157 }
158
159 A += AA;
160 B += BB;
161 C += CC;
162 D += DD;
163 E += EE;
164 F += FF;
165 G += GG;
166 H += HH;
167 }
168
169 /*
170 * From `Performance analysis of MD5' by Joseph D. Touch <touch@isi.edu>
171 */
172
173 #if !defined(WORDS_BIGENDIAN) || defined(_CRAY)
174 static inline uint32_t
swap_uint32_t(uint32_t t)175 swap_uint32_t(uint32_t t)
176 {
177 #define ROL(x,n) ((x)<<(n))|((x)>>(32-(n)))
178 uint32_t temp1, temp2;
179
180 temp1 = cshift(t, 16);
181 temp2 = temp1 >> 8;
182 temp1 &= 0x00ff00ff;
183 temp2 &= 0x00ff00ff;
184 temp1 <<= 8;
185 return temp1 | temp2;
186 }
187 #endif
188
189 struct x32 {
190 unsigned int a:32;
191 unsigned int b:32;
192 };
193
194 void
k5_sha256_update(SHA256_CTX * m,const void * v,size_t len)195 k5_sha256_update(SHA256_CTX *m, const void *v, size_t len)
196 {
197 const unsigned char *p = v;
198 size_t old_sz = m->sz[0];
199 size_t offset;
200
201 m->sz[0] += len * 8;
202 if (m->sz[0] < old_sz)
203 ++m->sz[1];
204 offset = (old_sz / 8) % 64;
205 while(len > 0){
206 size_t l = min(len, 64 - offset);
207 memcpy(m->save + offset, p, l);
208 offset += l;
209 p += l;
210 len -= l;
211 if(offset == 64){
212 #if !defined(WORDS_BIGENDIAN) || defined(_CRAY)
213 int i;
214 uint32_t current[16];
215 struct x32 *u = (struct x32*)(void*)m->save;
216 for(i = 0; i < 8; i++){
217 current[2*i+0] = swap_uint32_t(u[i].a);
218 current[2*i+1] = swap_uint32_t(u[i].b);
219 }
220 calc(m, current);
221 #else
222 calc(m, (uint32_t*)(void*)m->save);
223 #endif
224 offset = 0;
225 }
226 }
227 }
228
229 void
k5_sha256_final(void * res,SHA256_CTX * m)230 k5_sha256_final(void *res, SHA256_CTX *m)
231 {
232 unsigned char zeros[72];
233 unsigned offset = (m->sz[0] / 8) % 64;
234 unsigned int dstart = (120 - offset - 1) % 64 + 1;
235
236 *zeros = 0x80;
237 memset (zeros + 1, 0, sizeof(zeros) - 1);
238 zeros[dstart+7] = (m->sz[0] >> 0) & 0xff;
239 zeros[dstart+6] = (m->sz[0] >> 8) & 0xff;
240 zeros[dstart+5] = (m->sz[0] >> 16) & 0xff;
241 zeros[dstart+4] = (m->sz[0] >> 24) & 0xff;
242 zeros[dstart+3] = (m->sz[1] >> 0) & 0xff;
243 zeros[dstart+2] = (m->sz[1] >> 8) & 0xff;
244 zeros[dstart+1] = (m->sz[1] >> 16) & 0xff;
245 zeros[dstart+0] = (m->sz[1] >> 24) & 0xff;
246 k5_sha256_update(m, zeros, dstart + 8);
247 {
248 int i;
249 unsigned char *r = (unsigned char*)res;
250
251 for (i = 0; i < 8; ++i) {
252 r[4*i+3] = m->counter[i] & 0xFF;
253 r[4*i+2] = (m->counter[i] >> 8) & 0xFF;
254 r[4*i+1] = (m->counter[i] >> 16) & 0xFF;
255 r[4*i] = (m->counter[i] >> 24) & 0xFF;
256 }
257 }
258 }
259
260 krb5_error_code
k5_sha256(const krb5_data * in,size_t n,uint8_t out[K5_SHA256_HASHLEN])261 k5_sha256(const krb5_data *in, size_t n, uint8_t out[K5_SHA256_HASHLEN])
262 {
263 SHA256_CTX ctx;
264 size_t i;
265
266 k5_sha256_init(&ctx);
267 for (i = 0; i < n; i++)
268 k5_sha256_update(&ctx, in[i].data, in[i].length);
269 k5_sha256_final(out, &ctx);
270 return 0;
271 }
272
273 #endif /* K5_BUILTIN_SHA2 */
274