xref: /freebsd/contrib/llvm-project/llvm/lib/Support/SHA256.cpp (revision a0ca4af9455b844c5e094fc1b09b1390ffa979fc)
1 //====- SHA256.cpp - SHA256 implementation ---*- C++ -* ======//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 /*
9  *  The SHA-256 Secure Hash Standard was published by NIST in 2002.
10  *
11  *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
12  *
13  *   The implementation is based on nacl's sha256 implementation [0] and LLVM's
14  *  pre-exsiting SHA1 code [1].
15  *
16  *   [0] https://hyperelliptic.org/nacl/nacl-20110221.tar.bz2 (public domain
17  *       code)
18  *   [1] llvm/lib/Support/SHA1.{h,cpp}
19  */
20 //===----------------------------------------------------------------------===//
21 
22 #include "llvm/Support/SHA256.h"
23 #include "llvm/ADT/ArrayRef.h"
24 #include "llvm/ADT/StringRef.h"
25 #include "llvm/Support/Endian.h"
26 #include "llvm/Support/SwapByteOrder.h"
27 #include <string.h>
28 
29 namespace llvm {
30 
31 #define SHR(x, c) ((x) >> (c))
32 #define ROTR(x, n) (((x) >> n) | ((x) << (32 - (n))))
33 
34 #define CH(x, y, z) (((x) & (y)) ^ (~(x) & (z)))
35 #define MAJ(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
36 
37 #define SIGMA_0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
38 #define SIGMA_1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
39 
40 #define SIGMA_2(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
41 #define SIGMA_3(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
42 
43 #define F_EXPAND(A, B, C, D, E, F, G, H, M1, M2, M3, M4, k)                    \
44   do {                                                                         \
45     H += SIGMA_1(E) + CH(E, F, G) + M1 + k;                                    \
46     D += H;                                                                    \
47     H += SIGMA_0(A) + MAJ(A, B, C);                                            \
48     M1 += SIGMA_2(M2) + M3 + SIGMA_3(M4);                                      \
49   } while (0);
50 
51 void SHA256::init() {
52   InternalState.State[0] = 0x6A09E667;
53   InternalState.State[1] = 0xBB67AE85;
54   InternalState.State[2] = 0x3C6EF372;
55   InternalState.State[3] = 0xA54FF53A;
56   InternalState.State[4] = 0x510E527F;
57   InternalState.State[5] = 0x9B05688C;
58   InternalState.State[6] = 0x1F83D9AB;
59   InternalState.State[7] = 0x5BE0CD19;
60   InternalState.ByteCount = 0;
61   InternalState.BufferOffset = 0;
62 }
63 
64 void SHA256::hashBlock() {
65   uint32_t A = InternalState.State[0];
66   uint32_t B = InternalState.State[1];
67   uint32_t C = InternalState.State[2];
68   uint32_t D = InternalState.State[3];
69   uint32_t E = InternalState.State[4];
70   uint32_t F = InternalState.State[5];
71   uint32_t G = InternalState.State[6];
72   uint32_t H = InternalState.State[7];
73 
74   uint32_t W00 = InternalState.Buffer.L[0];
75   uint32_t W01 = InternalState.Buffer.L[1];
76   uint32_t W02 = InternalState.Buffer.L[2];
77   uint32_t W03 = InternalState.Buffer.L[3];
78   uint32_t W04 = InternalState.Buffer.L[4];
79   uint32_t W05 = InternalState.Buffer.L[5];
80   uint32_t W06 = InternalState.Buffer.L[6];
81   uint32_t W07 = InternalState.Buffer.L[7];
82   uint32_t W08 = InternalState.Buffer.L[8];
83   uint32_t W09 = InternalState.Buffer.L[9];
84   uint32_t W10 = InternalState.Buffer.L[10];
85   uint32_t W11 = InternalState.Buffer.L[11];
86   uint32_t W12 = InternalState.Buffer.L[12];
87   uint32_t W13 = InternalState.Buffer.L[13];
88   uint32_t W14 = InternalState.Buffer.L[14];
89   uint32_t W15 = InternalState.Buffer.L[15];
90 
91   F_EXPAND(A, B, C, D, E, F, G, H, W00, W14, W09, W01, 0x428A2F98);
92   F_EXPAND(H, A, B, C, D, E, F, G, W01, W15, W10, W02, 0x71374491);
93   F_EXPAND(G, H, A, B, C, D, E, F, W02, W00, W11, W03, 0xB5C0FBCF);
94   F_EXPAND(F, G, H, A, B, C, D, E, W03, W01, W12, W04, 0xE9B5DBA5);
95   F_EXPAND(E, F, G, H, A, B, C, D, W04, W02, W13, W05, 0x3956C25B);
96   F_EXPAND(D, E, F, G, H, A, B, C, W05, W03, W14, W06, 0x59F111F1);
97   F_EXPAND(C, D, E, F, G, H, A, B, W06, W04, W15, W07, 0x923F82A4);
98   F_EXPAND(B, C, D, E, F, G, H, A, W07, W05, W00, W08, 0xAB1C5ED5);
99   F_EXPAND(A, B, C, D, E, F, G, H, W08, W06, W01, W09, 0xD807AA98);
100   F_EXPAND(H, A, B, C, D, E, F, G, W09, W07, W02, W10, 0x12835B01);
101   F_EXPAND(G, H, A, B, C, D, E, F, W10, W08, W03, W11, 0x243185BE);
102   F_EXPAND(F, G, H, A, B, C, D, E, W11, W09, W04, W12, 0x550C7DC3);
103   F_EXPAND(E, F, G, H, A, B, C, D, W12, W10, W05, W13, 0x72BE5D74);
104   F_EXPAND(D, E, F, G, H, A, B, C, W13, W11, W06, W14, 0x80DEB1FE);
105   F_EXPAND(C, D, E, F, G, H, A, B, W14, W12, W07, W15, 0x9BDC06A7);
106   F_EXPAND(B, C, D, E, F, G, H, A, W15, W13, W08, W00, 0xC19BF174);
107 
108   F_EXPAND(A, B, C, D, E, F, G, H, W00, W14, W09, W01, 0xE49B69C1);
109   F_EXPAND(H, A, B, C, D, E, F, G, W01, W15, W10, W02, 0xEFBE4786);
110   F_EXPAND(G, H, A, B, C, D, E, F, W02, W00, W11, W03, 0x0FC19DC6);
111   F_EXPAND(F, G, H, A, B, C, D, E, W03, W01, W12, W04, 0x240CA1CC);
112   F_EXPAND(E, F, G, H, A, B, C, D, W04, W02, W13, W05, 0x2DE92C6F);
113   F_EXPAND(D, E, F, G, H, A, B, C, W05, W03, W14, W06, 0x4A7484AA);
114   F_EXPAND(C, D, E, F, G, H, A, B, W06, W04, W15, W07, 0x5CB0A9DC);
115   F_EXPAND(B, C, D, E, F, G, H, A, W07, W05, W00, W08, 0x76F988DA);
116   F_EXPAND(A, B, C, D, E, F, G, H, W08, W06, W01, W09, 0x983E5152);
117   F_EXPAND(H, A, B, C, D, E, F, G, W09, W07, W02, W10, 0xA831C66D);
118   F_EXPAND(G, H, A, B, C, D, E, F, W10, W08, W03, W11, 0xB00327C8);
119   F_EXPAND(F, G, H, A, B, C, D, E, W11, W09, W04, W12, 0xBF597FC7);
120   F_EXPAND(E, F, G, H, A, B, C, D, W12, W10, W05, W13, 0xC6E00BF3);
121   F_EXPAND(D, E, F, G, H, A, B, C, W13, W11, W06, W14, 0xD5A79147);
122   F_EXPAND(C, D, E, F, G, H, A, B, W14, W12, W07, W15, 0x06CA6351);
123   F_EXPAND(B, C, D, E, F, G, H, A, W15, W13, W08, W00, 0x14292967);
124 
125   F_EXPAND(A, B, C, D, E, F, G, H, W00, W14, W09, W01, 0x27B70A85);
126   F_EXPAND(H, A, B, C, D, E, F, G, W01, W15, W10, W02, 0x2E1B2138);
127   F_EXPAND(G, H, A, B, C, D, E, F, W02, W00, W11, W03, 0x4D2C6DFC);
128   F_EXPAND(F, G, H, A, B, C, D, E, W03, W01, W12, W04, 0x53380D13);
129   F_EXPAND(E, F, G, H, A, B, C, D, W04, W02, W13, W05, 0x650A7354);
130   F_EXPAND(D, E, F, G, H, A, B, C, W05, W03, W14, W06, 0x766A0ABB);
131   F_EXPAND(C, D, E, F, G, H, A, B, W06, W04, W15, W07, 0x81C2C92E);
132   F_EXPAND(B, C, D, E, F, G, H, A, W07, W05, W00, W08, 0x92722C85);
133   F_EXPAND(A, B, C, D, E, F, G, H, W08, W06, W01, W09, 0xA2BFE8A1);
134   F_EXPAND(H, A, B, C, D, E, F, G, W09, W07, W02, W10, 0xA81A664B);
135   F_EXPAND(G, H, A, B, C, D, E, F, W10, W08, W03, W11, 0xC24B8B70);
136   F_EXPAND(F, G, H, A, B, C, D, E, W11, W09, W04, W12, 0xC76C51A3);
137   F_EXPAND(E, F, G, H, A, B, C, D, W12, W10, W05, W13, 0xD192E819);
138   F_EXPAND(D, E, F, G, H, A, B, C, W13, W11, W06, W14, 0xD6990624);
139   F_EXPAND(C, D, E, F, G, H, A, B, W14, W12, W07, W15, 0xF40E3585);
140   F_EXPAND(B, C, D, E, F, G, H, A, W15, W13, W08, W00, 0x106AA070);
141 
142   F_EXPAND(A, B, C, D, E, F, G, H, W00, W14, W09, W01, 0x19A4C116);
143   F_EXPAND(H, A, B, C, D, E, F, G, W01, W15, W10, W02, 0x1E376C08);
144   F_EXPAND(G, H, A, B, C, D, E, F, W02, W00, W11, W03, 0x2748774C);
145   F_EXPAND(F, G, H, A, B, C, D, E, W03, W01, W12, W04, 0x34B0BCB5);
146   F_EXPAND(E, F, G, H, A, B, C, D, W04, W02, W13, W05, 0x391C0CB3);
147   F_EXPAND(D, E, F, G, H, A, B, C, W05, W03, W14, W06, 0x4ED8AA4A);
148   F_EXPAND(C, D, E, F, G, H, A, B, W06, W04, W15, W07, 0x5B9CCA4F);
149   F_EXPAND(B, C, D, E, F, G, H, A, W07, W05, W00, W08, 0x682E6FF3);
150   F_EXPAND(A, B, C, D, E, F, G, H, W08, W06, W01, W09, 0x748F82EE);
151   F_EXPAND(H, A, B, C, D, E, F, G, W09, W07, W02, W10, 0x78A5636F);
152   F_EXPAND(G, H, A, B, C, D, E, F, W10, W08, W03, W11, 0x84C87814);
153   F_EXPAND(F, G, H, A, B, C, D, E, W11, W09, W04, W12, 0x8CC70208);
154   F_EXPAND(E, F, G, H, A, B, C, D, W12, W10, W05, W13, 0x90BEFFFA);
155   F_EXPAND(D, E, F, G, H, A, B, C, W13, W11, W06, W14, 0xA4506CEB);
156   F_EXPAND(C, D, E, F, G, H, A, B, W14, W12, W07, W15, 0xBEF9A3F7);
157   F_EXPAND(B, C, D, E, F, G, H, A, W15, W13, W08, W00, 0xC67178F2);
158 
159   InternalState.State[0] += A;
160   InternalState.State[1] += B;
161   InternalState.State[2] += C;
162   InternalState.State[3] += D;
163   InternalState.State[4] += E;
164   InternalState.State[5] += F;
165   InternalState.State[6] += G;
166   InternalState.State[7] += H;
167 }
168 
169 void SHA256::addUncounted(uint8_t Data) {
170   if constexpr (sys::IsBigEndianHost)
171     InternalState.Buffer.C[InternalState.BufferOffset] = Data;
172   else
173     InternalState.Buffer.C[InternalState.BufferOffset ^ 3] = Data;
174 
175   InternalState.BufferOffset++;
176   if (InternalState.BufferOffset == BLOCK_LENGTH) {
177     hashBlock();
178     InternalState.BufferOffset = 0;
179   }
180 }
181 
182 void SHA256::writebyte(uint8_t Data) {
183   ++InternalState.ByteCount;
184   addUncounted(Data);
185 }
186 
187 void SHA256::update(ArrayRef<uint8_t> Data) {
188   InternalState.ByteCount += Data.size();
189 
190   // Finish the current block.
191   if (InternalState.BufferOffset > 0) {
192     const size_t Remainder = std::min<size_t>(
193         Data.size(), BLOCK_LENGTH - InternalState.BufferOffset);
194     for (size_t I = 0; I < Remainder; ++I)
195       addUncounted(Data[I]);
196     Data = Data.drop_front(Remainder);
197   }
198 
199   // Fast buffer filling for large inputs.
200   while (Data.size() >= BLOCK_LENGTH) {
201     assert(InternalState.BufferOffset == 0);
202     static_assert(BLOCK_LENGTH % 4 == 0);
203     constexpr size_t BLOCK_LENGTH_32 = BLOCK_LENGTH / 4;
204     for (size_t I = 0; I < BLOCK_LENGTH_32; ++I)
205       InternalState.Buffer.L[I] = support::endian::read32be(&Data[I * 4]);
206     hashBlock();
207     Data = Data.drop_front(BLOCK_LENGTH);
208   }
209 
210   // Finish the remainder.
211   for (uint8_t C : Data)
212     addUncounted(C);
213 }
214 
215 void SHA256::update(StringRef Str) {
216   update(
217       ArrayRef<uint8_t>((uint8_t *)const_cast<char *>(Str.data()), Str.size()));
218 }
219 
220 void SHA256::pad() {
221   // Implement SHA-2 padding (fips180-2 5.1.1)
222 
223   // Pad with 0x80 followed by 0x00 until the end of the block
224   addUncounted(0x80);
225   while (InternalState.BufferOffset != 56)
226     addUncounted(0x00);
227 
228   uint64_t len = InternalState.ByteCount << 3; // bit size
229 
230   // Append length in the last 8 bytes big edian encoded
231   addUncounted(len >> 56);
232   addUncounted(len >> 48);
233   addUncounted(len >> 40);
234   addUncounted(len >> 32);
235   addUncounted(len >> 24);
236   addUncounted(len >> 16);
237   addUncounted(len >> 8);
238   addUncounted(len);
239 }
240 
241 void SHA256::final(std::array<uint32_t, HASH_LENGTH / 4> &HashResult) {
242   // Pad to complete the last block
243   pad();
244 
245   if constexpr (sys::IsBigEndianHost) {
246     // Just copy the current state
247     for (int i = 0; i < 8; i++) {
248       HashResult[i] = InternalState.State[i];
249     }
250   } else {
251     // Swap byte order back
252     for (int i = 0; i < 8; i++) {
253       HashResult[i] = llvm::byteswap(InternalState.State[i]);
254     }
255   }
256 }
257 
258 std::array<uint8_t, 32> SHA256::final() {
259   union {
260     std::array<uint32_t, HASH_LENGTH / 4> HashResult;
261     std::array<uint8_t, HASH_LENGTH> ReturnResult;
262   };
263   static_assert(sizeof(HashResult) == sizeof(ReturnResult));
264   final(HashResult);
265   return ReturnResult;
266 }
267 
268 std::array<uint8_t, 32> SHA256::result() {
269   auto StateToRestore = InternalState;
270 
271   auto Hash = final();
272 
273   // Restore the state
274   InternalState = StateToRestore;
275 
276   // Return pointer to hash (32 characters)
277   return Hash;
278 }
279 
280 std::array<uint8_t, 32> SHA256::hash(ArrayRef<uint8_t> Data) {
281   SHA256 Hash;
282   Hash.update(Data);
283   return Hash.final();
284 }
285 
286 } // namespace llvm
287