xref: /freebsd/sys/crypto/sha2/sha256c.c (revision 7b3ea376a27ada7a61eb0c3102f13040fb8c16cb)
1 /*-
2  * Copyright 2005 Colin Percival
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  */
26 
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
29 
30 #include <sys/endian.h>
31 #include <sys/types.h>
32 
33 #ifdef _KERNEL
34 #include <sys/systm.h>
35 #else
36 #include <string.h>
37 #endif
38 
39 #include "sha256.h"
40 
41 #if BYTE_ORDER == BIG_ENDIAN
42 
43 /* Copy a vector of big-endian uint32_t into a vector of bytes */
44 #define be32enc_vect(dst, src, len)	\
45 	memcpy((void *)dst, (const void *)src, (size_t)len)
46 
47 /* Copy a vector of bytes into a vector of big-endian uint32_t */
48 #define be32dec_vect(dst, src, len)	\
49 	memcpy((void *)dst, (const void *)src, (size_t)len)
50 
51 #else /* BYTE_ORDER != BIG_ENDIAN */
52 
53 /*
54  * Encode a length len/4 vector of (uint32_t) into a length len vector of
55  * (unsigned char) in big-endian form.  Assumes len is a multiple of 4.
56  */
57 static void
58 be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
59 {
60 	size_t i;
61 
62 	for (i = 0; i < len / 4; i++)
63 		be32enc(dst + i * 4, src[i]);
64 }
65 
66 /*
67  * Decode a big-endian length len vector of (unsigned char) into a length
68  * len/4 vector of (uint32_t).  Assumes len is a multiple of 4.
69  */
70 static void
71 be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
72 {
73 	size_t i;
74 
75 	for (i = 0; i < len / 4; i++)
76 		dst[i] = be32dec(src + i * 4);
77 }
78 
79 #endif /* BYTE_ORDER != BIG_ENDIAN */
80 
81 /* Elementary functions used by SHA256 */
82 #define Ch(x, y, z)	((x & (y ^ z)) ^ z)
83 #define Maj(x, y, z)	((x & (y | z)) | (y & z))
84 #define SHR(x, n)	(x >> n)
85 #define ROTR(x, n)	((x >> n) | (x << (32 - n)))
86 #define S0(x)		(ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
87 #define S1(x)		(ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
88 #define s0(x)		(ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
89 #define s1(x)		(ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
90 
91 /* SHA256 round function */
92 #define RND(a, b, c, d, e, f, g, h, k)			\
93 	t0 = h + S1(e) + Ch(e, f, g) + k;		\
94 	t1 = S0(a) + Maj(a, b, c);			\
95 	d += t0;					\
96 	h  = t0 + t1;
97 
98 /* Adjusted round function for rotating state */
99 #define RNDr(S, W, i, k)			\
100 	RND(S[(64 - i) % 8], S[(65 - i) % 8],	\
101 	    S[(66 - i) % 8], S[(67 - i) % 8],	\
102 	    S[(68 - i) % 8], S[(69 - i) % 8],	\
103 	    S[(70 - i) % 8], S[(71 - i) % 8],	\
104 	    W[i] + k)
105 
106 /*
107  * SHA256 block compression function.  The 256-bit state is transformed via
108  * the 512-bit input block to produce a new state.
109  */
110 static void
111 SHA256_Transform(uint32_t * state, const unsigned char block[64])
112 {
113 	uint32_t W[64];
114 	uint32_t S[8];
115 	uint32_t t0, t1;
116 	int i;
117 
118 	/* 1. Prepare message schedule W. */
119 	be32dec_vect(W, block, 64);
120 	for (i = 16; i < 64; i++)
121 		W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16];
122 
123 	/* 2. Initialize working variables. */
124 	memcpy(S, state, 32);
125 
126 	/* 3. Mix. */
127 	RNDr(S, W, 0, 0x428a2f98);
128 	RNDr(S, W, 1, 0x71374491);
129 	RNDr(S, W, 2, 0xb5c0fbcf);
130 	RNDr(S, W, 3, 0xe9b5dba5);
131 	RNDr(S, W, 4, 0x3956c25b);
132 	RNDr(S, W, 5, 0x59f111f1);
133 	RNDr(S, W, 6, 0x923f82a4);
134 	RNDr(S, W, 7, 0xab1c5ed5);
135 	RNDr(S, W, 8, 0xd807aa98);
136 	RNDr(S, W, 9, 0x12835b01);
137 	RNDr(S, W, 10, 0x243185be);
138 	RNDr(S, W, 11, 0x550c7dc3);
139 	RNDr(S, W, 12, 0x72be5d74);
140 	RNDr(S, W, 13, 0x80deb1fe);
141 	RNDr(S, W, 14, 0x9bdc06a7);
142 	RNDr(S, W, 15, 0xc19bf174);
143 	RNDr(S, W, 16, 0xe49b69c1);
144 	RNDr(S, W, 17, 0xefbe4786);
145 	RNDr(S, W, 18, 0x0fc19dc6);
146 	RNDr(S, W, 19, 0x240ca1cc);
147 	RNDr(S, W, 20, 0x2de92c6f);
148 	RNDr(S, W, 21, 0x4a7484aa);
149 	RNDr(S, W, 22, 0x5cb0a9dc);
150 	RNDr(S, W, 23, 0x76f988da);
151 	RNDr(S, W, 24, 0x983e5152);
152 	RNDr(S, W, 25, 0xa831c66d);
153 	RNDr(S, W, 26, 0xb00327c8);
154 	RNDr(S, W, 27, 0xbf597fc7);
155 	RNDr(S, W, 28, 0xc6e00bf3);
156 	RNDr(S, W, 29, 0xd5a79147);
157 	RNDr(S, W, 30, 0x06ca6351);
158 	RNDr(S, W, 31, 0x14292967);
159 	RNDr(S, W, 32, 0x27b70a85);
160 	RNDr(S, W, 33, 0x2e1b2138);
161 	RNDr(S, W, 34, 0x4d2c6dfc);
162 	RNDr(S, W, 35, 0x53380d13);
163 	RNDr(S, W, 36, 0x650a7354);
164 	RNDr(S, W, 37, 0x766a0abb);
165 	RNDr(S, W, 38, 0x81c2c92e);
166 	RNDr(S, W, 39, 0x92722c85);
167 	RNDr(S, W, 40, 0xa2bfe8a1);
168 	RNDr(S, W, 41, 0xa81a664b);
169 	RNDr(S, W, 42, 0xc24b8b70);
170 	RNDr(S, W, 43, 0xc76c51a3);
171 	RNDr(S, W, 44, 0xd192e819);
172 	RNDr(S, W, 45, 0xd6990624);
173 	RNDr(S, W, 46, 0xf40e3585);
174 	RNDr(S, W, 47, 0x106aa070);
175 	RNDr(S, W, 48, 0x19a4c116);
176 	RNDr(S, W, 49, 0x1e376c08);
177 	RNDr(S, W, 50, 0x2748774c);
178 	RNDr(S, W, 51, 0x34b0bcb5);
179 	RNDr(S, W, 52, 0x391c0cb3);
180 	RNDr(S, W, 53, 0x4ed8aa4a);
181 	RNDr(S, W, 54, 0x5b9cca4f);
182 	RNDr(S, W, 55, 0x682e6ff3);
183 	RNDr(S, W, 56, 0x748f82ee);
184 	RNDr(S, W, 57, 0x78a5636f);
185 	RNDr(S, W, 58, 0x84c87814);
186 	RNDr(S, W, 59, 0x8cc70208);
187 	RNDr(S, W, 60, 0x90befffa);
188 	RNDr(S, W, 61, 0xa4506ceb);
189 	RNDr(S, W, 62, 0xbef9a3f7);
190 	RNDr(S, W, 63, 0xc67178f2);
191 
192 	/* 4. Mix local working variables into global state */
193 	for (i = 0; i < 8; i++)
194 		state[i] += S[i];
195 }
196 
197 static unsigned char PAD[64] = {
198 	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
199 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
200 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
201 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
202 };
203 
204 /* Add padding and terminating bit-count. */
205 static void
206 SHA256_Pad(SHA256_CTX * ctx)
207 {
208 	unsigned char len[8];
209 	uint32_t r, plen;
210 
211 	/*
212 	 * Convert length to a vector of bytes -- we do this now rather
213 	 * than later because the length will change after we pad.
214 	 */
215 	be64enc(len, ctx->count);
216 
217 	/* Add 1--64 bytes so that the resulting length is 56 mod 64 */
218 	r = (ctx->count >> 3) & 0x3f;
219 	plen = (r < 56) ? (56 - r) : (120 - r);
220 	SHA256_Update(ctx, PAD, (size_t)plen);
221 
222 	/* Add the terminating bit-count */
223 	SHA256_Update(ctx, len, 8);
224 }
225 
226 /* SHA-256 initialization.  Begins a SHA-256 operation. */
227 void
228 SHA256_Init(SHA256_CTX * ctx)
229 {
230 
231 	/* Zero bits processed so far */
232 	ctx->count = 0;
233 
234 	/* Magic initialization constants */
235 	ctx->state[0] = 0x6A09E667;
236 	ctx->state[1] = 0xBB67AE85;
237 	ctx->state[2] = 0x3C6EF372;
238 	ctx->state[3] = 0xA54FF53A;
239 	ctx->state[4] = 0x510E527F;
240 	ctx->state[5] = 0x9B05688C;
241 	ctx->state[6] = 0x1F83D9AB;
242 	ctx->state[7] = 0x5BE0CD19;
243 }
244 
245 /* Add bytes into the hash */
246 void
247 SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len)
248 {
249 	uint64_t bitlen;
250 	uint32_t r;
251 	const unsigned char *src = in;
252 
253 	/* Number of bytes left in the buffer from previous updates */
254 	r = (ctx->count >> 3) & 0x3f;
255 
256 	/* Convert the length into a number of bits */
257 	bitlen = len << 3;
258 
259 	/* Update number of bits */
260 	ctx->count += bitlen;
261 
262 	/* Handle the case where we don't need to perform any transforms */
263 	if (len < 64 - r) {
264 		memcpy(&ctx->buf[r], src, len);
265 		return;
266 	}
267 
268 	/* Finish the current block */
269 	memcpy(&ctx->buf[r], src, 64 - r);
270 	SHA256_Transform(ctx->state, ctx->buf);
271 	src += 64 - r;
272 	len -= 64 - r;
273 
274 	/* Perform complete blocks */
275 	while (len >= 64) {
276 		SHA256_Transform(ctx->state, src);
277 		src += 64;
278 		len -= 64;
279 	}
280 
281 	/* Copy left over data into buffer */
282 	memcpy(ctx->buf, src, len);
283 }
284 
285 /*
286  * SHA-256 finalization.  Pads the input data, exports the hash value,
287  * and clears the context state.
288  */
289 void
290 SHA256_Final(unsigned char digest[32], SHA256_CTX * ctx)
291 {
292 
293 	/* Add padding */
294 	SHA256_Pad(ctx);
295 
296 	/* Write the hash */
297 	be32enc_vect(digest, ctx->state, 32);
298 
299 	/* Clear the context state */
300 	memset((void *)ctx, 0, sizeof(*ctx));
301 }
302 
303 #ifdef WEAK_REFS
304 /* When building libmd, provide weak references. Note: this is not
305    activated in the context of compiling these sources for internal
306    use in libcrypt.
307  */
308 #undef SHA256_Init
309 __weak_reference(_libmd_SHA256_Init, SHA256_Init);
310 #undef SHA256_Update
311 __weak_reference(_libmd_SHA256_Update, SHA256_Update);
312 #undef SHA256_Final
313 __weak_reference(_libmd_SHA256_Final, SHA256_Final);
314 #undef SHA256_Transform
315 __weak_reference(_libmd_SHA256_Transform, SHA256_Transform);
316 #endif
317