Download
jcs
/subtext
/sha2.c
(View History)
jcs sha1: Import from OpenBSD | Latest amendment: 177 on 2022-06-30 |
1 | /* $OpenBSD: sha2.c,v 1.19 2021/03/12 10:22:46 jsg Exp $ */ |
2 | |
3 | /* |
4 | * FILE: sha2.c |
5 | * AUTHOR: Aaron D. Gifford <me@aarongifford.com> |
6 | * |
7 | * Copyright (c) 2000-2001, Aaron D. Gifford |
8 | * All rights reserved. |
9 | * |
10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions |
12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. |
15 | * 2. Redistributions in binary form must reproduce the above copyright |
16 | * notice, this list of conditions and the following disclaimer in the |
17 | * documentation and/or other materials provided with the distribution. |
18 | * 3. Neither the name of the copyright holder nor the names of contributors |
19 | * may be used to endorse or promote products derived from this software |
20 | * without specific prior written permission. |
21 | * |
22 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND |
23 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
24 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
25 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE |
26 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
27 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
28 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
29 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
30 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
31 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
32 | * SUCH DAMAGE. |
33 | * |
34 | * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $ |
35 | */ |
36 | |
37 | #include <string.h> |
38 | #include "sha2.h" |
39 | |
40 | char *SHA256End(SHA2_CTX *ctx, char *buf); |
41 | |
42 | /*** SHA-256/384/512 Machine Architecture Definitions *****************/ |
43 | /* |
44 | * BYTE_ORDER NOTE: |
45 | * |
46 | * Please make sure that your system defines BYTE_ORDER. If your |
47 | * architecture is little-endian, make sure it also defines |
48 | * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are |
49 | * equivalent. |
50 | * |
51 | * If your system does not define the above, then you can do so by |
52 | * hand like this: |
53 | * |
54 | * #define LITTLE_ENDIAN 1234 |
55 | * #define BIG_ENDIAN 4321 |
56 | * |
57 | * And for little-endian machines, add: |
58 | * |
59 | * #define BYTE_ORDER LITTLE_ENDIAN |
60 | * |
61 | * Or for big-endian machines: |
62 | * |
63 | * #define BYTE_ORDER BIG_ENDIAN |
64 | * |
65 | * The FreeBSD machine this was written on defines BYTE_ORDER |
66 | * appropriately by including <sys/types.h> (which in turn includes |
67 | * <machine/endian.h> where the appropriate definitions are actually |
68 | * made). |
69 | */ |
70 | #if !defined(BYTE_ORDER) || (BYTE_ORDER != BIG_ENDIAN) |
71 | #error little-endian support was removed |
72 | #endif |
73 | |
74 | |
75 | /*** SHA-256 Various Length Definitions ***********************/ |
76 | /* NOTE: Most of these are in sha2.h */ |
77 | #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) |
78 | |
79 | /* |
80 | * Macro for incrementally adding the unsigned 32-bit integer n to the |
81 | * unsigned 64-bit integer (represented using a two-element array of |
82 | * 32-bit words): |
83 | */ |
84 | #define ADDINC64(w,n) { \ |
85 | (w)[0] += (u_int32_t)(n); \ |
86 | if ((w)[0] < (n)) { \ |
87 | (w)[1]++; \ |
88 | } \ |
89 | } |
90 | |
91 | /*** THE SIX LOGICAL FUNCTIONS ****************************************/ |
92 | /* |
93 | * Bit shifting and rotation (used by the six SHA-XYZ logical functions: |
94 | * |
95 | * NOTE: The naming of R and S appears backwards here (R is a SHIFT and |
96 | * S is a ROTATION) because the SHA-256/384/512 description document |
97 | * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this |
98 | * same "backwards" definition. |
99 | */ |
100 | /* Shift-right (used in SHA-256: */ |
101 | #define R(b,x) ((x) >> (b)) |
102 | /* 32-bit Rotate-right (used in SHA-256): */ |
103 | #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) |
104 | |
105 | /* Two of six logical functions used in SHA-256: */ |
106 | #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) |
107 | #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) |
108 | |
109 | /* Four of six logical functions used in SHA-256: */ |
110 | #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) |
111 | #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) |
112 | #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) |
113 | #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) |
114 | |
115 | /*** INTERNAL FUNCTION PROTOTYPES *************************************/ |
116 | /* NOTE: These should not be accessed directly from outside this |
117 | * library -- they are intended for private internal visibility/use |
118 | * only. |
119 | */ |
120 | void SHA256Transform(u_int32_t *, const u_int8_t *); |
121 | |
122 | |
123 | /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ |
124 | /* Hash constant words K for SHA-256: */ |
125 | const static u_int32_t K256[64] = { |
126 | 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, |
127 | 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, |
128 | 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, |
129 | 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, |
130 | 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, |
131 | 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, |
132 | 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, |
133 | 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, |
134 | 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, |
135 | 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, |
136 | 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, |
137 | 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, |
138 | 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, |
139 | 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, |
140 | 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, |
141 | 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL |
142 | }; |
143 | |
144 | /* Initial hash value H for SHA-256: */ |
145 | const static u_int32_t sha256_initial_hash_value[8] = { |
146 | 0x6a09e667UL, |
147 | 0xbb67ae85UL, |
148 | 0x3c6ef372UL, |
149 | 0xa54ff53aUL, |
150 | 0x510e527fUL, |
151 | 0x9b05688cUL, |
152 | 0x1f83d9abUL, |
153 | 0x5be0cd19UL |
154 | }; |
155 | |
156 | |
157 | /*** SHA-256: *********************************************************/ |
158 | void |
159 | SHA256Init(SHA2_CTX *context) |
160 | { |
161 | memcpy(context->state.st32, sha256_initial_hash_value, |
162 | SHA256_DIGEST_LENGTH); |
163 | memset(context->buffer, 0, SHA256_BLOCK_LENGTH); |
164 | context->bitcount[0] = 0; |
165 | context->bitcount[1] = 0; |
166 | } |
167 | |
168 | void |
169 | SHA256Transform(u_int32_t *state, const u_int8_t *data) |
170 | { |
171 | u_int32_t a, b, c, d, e, f, g, h, s0, s1; |
172 | u_int32_t T1, T2, W256[16]; |
173 | int j; |
174 | |
175 | /* Initialize registers with the prev. intermediate value */ |
176 | a = state[0]; |
177 | b = state[1]; |
178 | c = state[2]; |
179 | d = state[3]; |
180 | e = state[4]; |
181 | f = state[5]; |
182 | g = state[6]; |
183 | h = state[7]; |
184 | |
185 | j = 0; |
186 | do { |
187 | W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) | |
188 | ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24); |
189 | data += 4; |
190 | /* Apply the SHA-256 compression function to update a..h */ |
191 | T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; |
192 | T2 = Sigma0_256(a) + Maj(a, b, c); |
193 | h = g; |
194 | g = f; |
195 | f = e; |
196 | e = d + T1; |
197 | d = c; |
198 | c = b; |
199 | b = a; |
200 | a = T1 + T2; |
201 | |
202 | j++; |
203 | } while (j < 16); |
204 | |
205 | do { |
206 | /* Part of the message block expansion: */ |
207 | s0 = W256[(j+1)&0x0f]; |
208 | s0 = sigma0_256(s0); |
209 | s1 = W256[(j+14)&0x0f]; |
210 | s1 = sigma1_256(s1); |
211 | |
212 | /* Apply the SHA-256 compression function to update a..h */ |
213 | T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + |
214 | (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); |
215 | T2 = Sigma0_256(a) + Maj(a, b, c); |
216 | h = g; |
217 | g = f; |
218 | f = e; |
219 | e = d + T1; |
220 | d = c; |
221 | c = b; |
222 | b = a; |
223 | a = T1 + T2; |
224 | |
225 | j++; |
226 | } while (j < 64); |
227 | |
228 | /* Compute the current intermediate hash value */ |
229 | state[0] += a; |
230 | state[1] += b; |
231 | state[2] += c; |
232 | state[3] += d; |
233 | state[4] += e; |
234 | state[5] += f; |
235 | state[6] += g; |
236 | state[7] += h; |
237 | |
238 | /* Clean up */ |
239 | a = b = c = d = e = f = g = h = T1 = T2 = 0; |
240 | } |
241 | |
242 | void |
243 | SHA256Update(SHA2_CTX *context, const void *dataptr, size_t len) |
244 | { |
245 | const u_int8_t *data = dataptr; |
246 | size_t freespace, usedspace; |
247 | |
248 | /* Calling with no data is valid (we do nothing) */ |
249 | if (len == 0) |
250 | return; |
251 | |
252 | usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH; |
253 | if (usedspace > 0) { |
254 | /* Calculate how much free space is available in the buffer */ |
255 | freespace = SHA256_BLOCK_LENGTH - usedspace; |
256 | |
257 | if (len >= freespace) { |
258 | /* Fill the buffer completely and process it */ |
259 | memcpy(&context->buffer[usedspace], data, freespace); |
260 | ADDINC64(context->bitcount, freespace << 3); |
261 | len -= freespace; |
262 | data += freespace; |
263 | SHA256Transform(context->state.st32, context->buffer); |
264 | } else { |
265 | /* The buffer is not yet full */ |
266 | memcpy(&context->buffer[usedspace], data, len); |
267 | ADDINC64(context->bitcount, len << 3); |
268 | /* Clean up: */ |
269 | usedspace = freespace = 0; |
270 | return; |
271 | } |
272 | } |
273 | while (len >= SHA256_BLOCK_LENGTH) { |
274 | /* Process as many complete blocks as we can */ |
275 | SHA256Transform(context->state.st32, data); |
276 | ADDINC64(context->bitcount, SHA256_BLOCK_LENGTH << 3); |
277 | len -= SHA256_BLOCK_LENGTH; |
278 | data += SHA256_BLOCK_LENGTH; |
279 | } |
280 | if (len > 0) { |
281 | /* There's left-overs, so save 'em */ |
282 | memcpy(context->buffer, data, len); |
283 | ADDINC64(context->bitcount, len << 3); |
284 | } |
285 | /* Clean up: */ |
286 | usedspace = freespace = 0; |
287 | } |
288 | |
289 | void |
290 | SHA256Final(u_int8_t digest[], SHA2_CTX *context) |
291 | { |
292 | unsigned int usedspace; |
293 | |
294 | usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH; |
295 | if (usedspace > 0) { |
296 | /* Begin padding with a 1 bit: */ |
297 | context->buffer[usedspace++] = 0x80; |
298 | |
299 | if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { |
300 | /* Set-up for the last transform: */ |
301 | memset(&context->buffer[usedspace], 0, |
302 | SHA256_SHORT_BLOCK_LENGTH - usedspace); |
303 | } else { |
304 | if (usedspace < SHA256_BLOCK_LENGTH) { |
305 | memset(&context->buffer[usedspace], 0, |
306 | SHA256_BLOCK_LENGTH - usedspace); |
307 | } |
308 | /* Do second-to-last transform: */ |
309 | SHA256Transform(context->state.st32, context->buffer); |
310 | |
311 | /* And set-up for the last transform: */ |
312 | memset(context->buffer, 0, |
313 | SHA256_SHORT_BLOCK_LENGTH); |
314 | } |
315 | } else { |
316 | /* Set-up for the last transform: */ |
317 | memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH); |
318 | |
319 | /* Begin padding with a 1 bit: */ |
320 | *context->buffer = 0x80; |
321 | } |
322 | /* Set the bit count: */ |
323 | *(u_int32_t *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount[1]; |
324 | *(u_int32_t *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH + 4] = context->bitcount[0]; |
325 | |
326 | /* Final transform: */ |
327 | SHA256Transform(context->state.st32, context->buffer); |
328 | memcpy(digest, context->state.st32, SHA256_DIGEST_LENGTH); |
329 | |
330 | /* Clean up state data: */ |
331 | memset(context, 0, sizeof(*context)); |
332 | usedspace = 0; |
333 | } |
334 | |
335 | char * |
336 | SHA256End(SHA2_CTX *ctx, char *buf) |
337 | { |
338 | short i; |
339 | u_int8_t digest[SHA256_DIGEST_LENGTH]; |
340 | static const char hex[] = "0123456789abcdef"; |
341 | |
342 | if (buf == NULL) |
343 | return NULL; |
344 | |
345 | SHA256Final(digest, ctx); |
346 | for (i = 0; i < SHA256_DIGEST_LENGTH; i++) { |
347 | buf[i + i] = hex[digest[i] >> 4]; |
348 | buf[i + i + 1] = hex[digest[i] & 0x0f]; |
349 | } |
350 | buf[i + i] = '\0'; |
351 | memset(digest, 0, sizeof(digest)); |
352 | return (buf); |
353 | } |
354 | |
355 | char * |
356 | SHA256Data(const u_int8_t *data, size_t len, char *buf) |
357 | { |
358 | SHA2_CTX ctx; |
359 | |
360 | SHA256Init(&ctx); |
361 | SHA256Update(&ctx, data, len); |
362 | return SHA256End(&ctx, buf); |
363 | } |