Line data Source code
1 : /*
2 : * Code originally from LibTomCrypt -- Licensed under the Public Domain/WTFPL2.0
3 : */
4 :
5 : #include "sha256.h"
6 : #include "sha.h"
7 :
8 : /* Various logical functions */
9 : #define Ch(x, y, z) (z ^ (x & (y ^ z)))
10 : #define Maj(x, y, z) (((x | y) & z) | (x & y))
11 : #define S(x, n) RORc((x), (n))
12 : #define R(x, n) (((x)&0xFFFFFFFFUL) >> (n))
13 : #define Sigma0(x) (S(x, 2) ^ S(x, 13) ^ S(x, 22))
14 : #define Sigma1(x) (S(x, 6) ^ S(x, 11) ^ S(x, 25))
15 : #define Gamma0(x) (S(x, 7) ^ S(x, 18) ^ R(x, 3))
16 : #define Gamma1(x) (S(x, 17) ^ S(x, 19) ^ R(x, 10))
17 :
18 0 : static void sha256_compress(sha256_context *md, const uint8_t *buf)
19 : {
20 0 : uint32_t S[8], W[64], t0, t1;
21 0 : int i;
22 :
23 : /* copy state into S */
24 0 : for (i = 0; i < 8; i++) {
25 0 : S[i] = md->state[i];
26 : }
27 :
28 : /* copy the state into 512-bits into W[0..15] */
29 0 : for (i = 0; i < 16; i++) {
30 0 : LOAD32H(W[i], buf + (4 * i));
31 : }
32 :
33 : /* fill W[16..63] */
34 0 : for (i = 16; i < 64; i++) {
35 0 : W[i] = Gamma1(W[i - 2]) + W[i - 7] + Gamma0(W[i - 15]) + W[i - 16];
36 : }
37 :
38 : /* Compress */
39 : #define RND(a, b, c, d, e, f, g, h, i, ki) \
40 : t0 = h + Sigma1(e) + Ch(e, f, g) + ki + W[i]; \
41 : t1 = Sigma0(a) + Maj(a, b, c); \
42 : d += t0; \
43 : h = t0 + t1;
44 :
45 0 : RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], 0, 0x428a2f98);
46 0 : RND(S[7], S[0], S[1], S[2], S[3], S[4], S[5], S[6], 1, 0x71374491);
47 0 : RND(S[6], S[7], S[0], S[1], S[2], S[3], S[4], S[5], 2, 0xb5c0fbcf);
48 0 : RND(S[5], S[6], S[7], S[0], S[1], S[2], S[3], S[4], 3, 0xe9b5dba5);
49 0 : RND(S[4], S[5], S[6], S[7], S[0], S[1], S[2], S[3], 4, 0x3956c25b);
50 0 : RND(S[3], S[4], S[5], S[6], S[7], S[0], S[1], S[2], 5, 0x59f111f1);
51 0 : RND(S[2], S[3], S[4], S[5], S[6], S[7], S[0], S[1], 6, 0x923f82a4);
52 0 : RND(S[1], S[2], S[3], S[4], S[5], S[6], S[7], S[0], 7, 0xab1c5ed5);
53 0 : RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], 8, 0xd807aa98);
54 0 : RND(S[7], S[0], S[1], S[2], S[3], S[4], S[5], S[6], 9, 0x12835b01);
55 0 : RND(S[6], S[7], S[0], S[1], S[2], S[3], S[4], S[5], 10, 0x243185be);
56 0 : RND(S[5], S[6], S[7], S[0], S[1], S[2], S[3], S[4], 11, 0x550c7dc3);
57 0 : RND(S[4], S[5], S[6], S[7], S[0], S[1], S[2], S[3], 12, 0x72be5d74);
58 0 : RND(S[3], S[4], S[5], S[6], S[7], S[0], S[1], S[2], 13, 0x80deb1fe);
59 0 : RND(S[2], S[3], S[4], S[5], S[6], S[7], S[0], S[1], 14, 0x9bdc06a7);
60 0 : RND(S[1], S[2], S[3], S[4], S[5], S[6], S[7], S[0], 15, 0xc19bf174);
61 0 : RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], 16, 0xe49b69c1);
62 0 : RND(S[7], S[0], S[1], S[2], S[3], S[4], S[5], S[6], 17, 0xefbe4786);
63 0 : RND(S[6], S[7], S[0], S[1], S[2], S[3], S[4], S[5], 18, 0x0fc19dc6);
64 0 : RND(S[5], S[6], S[7], S[0], S[1], S[2], S[3], S[4], 19, 0x240ca1cc);
65 0 : RND(S[4], S[5], S[6], S[7], S[0], S[1], S[2], S[3], 20, 0x2de92c6f);
66 0 : RND(S[3], S[4], S[5], S[6], S[7], S[0], S[1], S[2], 21, 0x4a7484aa);
67 0 : RND(S[2], S[3], S[4], S[5], S[6], S[7], S[0], S[1], 22, 0x5cb0a9dc);
68 0 : RND(S[1], S[2], S[3], S[4], S[5], S[6], S[7], S[0], 23, 0x76f988da);
69 0 : RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], 24, 0x983e5152);
70 0 : RND(S[7], S[0], S[1], S[2], S[3], S[4], S[5], S[6], 25, 0xa831c66d);
71 0 : RND(S[6], S[7], S[0], S[1], S[2], S[3], S[4], S[5], 26, 0xb00327c8);
72 0 : RND(S[5], S[6], S[7], S[0], S[1], S[2], S[3], S[4], 27, 0xbf597fc7);
73 0 : RND(S[4], S[5], S[6], S[7], S[0], S[1], S[2], S[3], 28, 0xc6e00bf3);
74 0 : RND(S[3], S[4], S[5], S[6], S[7], S[0], S[1], S[2], 29, 0xd5a79147);
75 0 : RND(S[2], S[3], S[4], S[5], S[6], S[7], S[0], S[1], 30, 0x06ca6351);
76 0 : RND(S[1], S[2], S[3], S[4], S[5], S[6], S[7], S[0], 31, 0x14292967);
77 0 : RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], 32, 0x27b70a85);
78 0 : RND(S[7], S[0], S[1], S[2], S[3], S[4], S[5], S[6], 33, 0x2e1b2138);
79 0 : RND(S[6], S[7], S[0], S[1], S[2], S[3], S[4], S[5], 34, 0x4d2c6dfc);
80 0 : RND(S[5], S[6], S[7], S[0], S[1], S[2], S[3], S[4], 35, 0x53380d13);
81 0 : RND(S[4], S[5], S[6], S[7], S[0], S[1], S[2], S[3], 36, 0x650a7354);
82 0 : RND(S[3], S[4], S[5], S[6], S[7], S[0], S[1], S[2], 37, 0x766a0abb);
83 0 : RND(S[2], S[3], S[4], S[5], S[6], S[7], S[0], S[1], 38, 0x81c2c92e);
84 0 : RND(S[1], S[2], S[3], S[4], S[5], S[6], S[7], S[0], 39, 0x92722c85);
85 0 : RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], 40, 0xa2bfe8a1);
86 0 : RND(S[7], S[0], S[1], S[2], S[3], S[4], S[5], S[6], 41, 0xa81a664b);
87 0 : RND(S[6], S[7], S[0], S[1], S[2], S[3], S[4], S[5], 42, 0xc24b8b70);
88 0 : RND(S[5], S[6], S[7], S[0], S[1], S[2], S[3], S[4], 43, 0xc76c51a3);
89 0 : RND(S[4], S[5], S[6], S[7], S[0], S[1], S[2], S[3], 44, 0xd192e819);
90 0 : RND(S[3], S[4], S[5], S[6], S[7], S[0], S[1], S[2], 45, 0xd6990624);
91 0 : RND(S[2], S[3], S[4], S[5], S[6], S[7], S[0], S[1], 46, 0xf40e3585);
92 0 : RND(S[1], S[2], S[3], S[4], S[5], S[6], S[7], S[0], 47, 0x106aa070);
93 0 : RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], 48, 0x19a4c116);
94 0 : RND(S[7], S[0], S[1], S[2], S[3], S[4], S[5], S[6], 49, 0x1e376c08);
95 0 : RND(S[6], S[7], S[0], S[1], S[2], S[3], S[4], S[5], 50, 0x2748774c);
96 0 : RND(S[5], S[6], S[7], S[0], S[1], S[2], S[3], S[4], 51, 0x34b0bcb5);
97 0 : RND(S[4], S[5], S[6], S[7], S[0], S[1], S[2], S[3], 52, 0x391c0cb3);
98 0 : RND(S[3], S[4], S[5], S[6], S[7], S[0], S[1], S[2], 53, 0x4ed8aa4a);
99 0 : RND(S[2], S[3], S[4], S[5], S[6], S[7], S[0], S[1], 54, 0x5b9cca4f);
100 0 : RND(S[1], S[2], S[3], S[4], S[5], S[6], S[7], S[0], 55, 0x682e6ff3);
101 0 : RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], 56, 0x748f82ee);
102 0 : RND(S[7], S[0], S[1], S[2], S[3], S[4], S[5], S[6], 57, 0x78a5636f);
103 0 : RND(S[6], S[7], S[0], S[1], S[2], S[3], S[4], S[5], 58, 0x84c87814);
104 0 : RND(S[5], S[6], S[7], S[0], S[1], S[2], S[3], S[4], 59, 0x8cc70208);
105 0 : RND(S[4], S[5], S[6], S[7], S[0], S[1], S[2], S[3], 60, 0x90befffa);
106 0 : RND(S[3], S[4], S[5], S[6], S[7], S[0], S[1], S[2], 61, 0xa4506ceb);
107 0 : RND(S[2], S[3], S[4], S[5], S[6], S[7], S[0], S[1], 62, 0xbef9a3f7);
108 0 : RND(S[1], S[2], S[3], S[4], S[5], S[6], S[7], S[0], 63, 0xc67178f2);
109 :
110 : #undef RND
111 :
112 : /* feedback */
113 0 : for (i = 0; i < 8; i++) {
114 0 : md->state[i] = md->state[i] + S[i];
115 : }
116 0 : }
117 :
118 0 : void sha256_init(sha256_context *md)
119 : {
120 0 : md->curlen = 0;
121 0 : md->length = 0;
122 0 : md->state[0] = 0x6A09E667UL;
123 0 : md->state[1] = 0xBB67AE85UL;
124 0 : md->state[2] = 0x3C6EF372UL;
125 0 : md->state[3] = 0xA54FF53AUL;
126 0 : md->state[4] = 0x510E527FUL;
127 0 : md->state[5] = 0x9B05688CUL;
128 0 : md->state[6] = 0x1F83D9ABUL;
129 0 : md->state[7] = 0x5BE0CD19UL;
130 0 : }
131 :
132 0 : void sha256_process(sha256_context *md, const uint8_t *in, size_t inlen)
133 : {
134 0 : size_t n;
135 0 : if (md->curlen > sizeof(md->buf)) {
136 : return;
137 : }
138 0 : if ((md->length + inlen) < md->length) {
139 : return;
140 : }
141 0 : while (inlen > 0) {
142 0 : if (md->curlen == 0 && inlen >= 64) {
143 0 : sha256_compress(md, in);
144 0 : md->length += 64 * 8;
145 0 : in += 64;
146 0 : inlen -= 64;
147 : } else {
148 0 : n = (((inlen) < ((64 - md->curlen))) ? (inlen)
149 : : ((64 - md->curlen)));
150 0 : memcpy(md->buf + md->curlen, in, (size_t)n);
151 0 : md->curlen += n;
152 0 : in += n;
153 0 : inlen -= n;
154 0 : if (md->curlen == 64) {
155 0 : sha256_compress(md, md->buf);
156 0 : md->length += 8 * 64;
157 0 : md->curlen = 0;
158 : }
159 : }
160 : }
161 : }
162 :
163 0 : void sha256_done(sha256_context *md, uint8_t *out)
164 : {
165 0 : int i;
166 :
167 0 : if (md->curlen >= sizeof(md->buf)) {
168 : return;
169 : }
170 :
171 : /* increase the length of the message */
172 0 : md->length += md->curlen * 8;
173 :
174 : /* append the '1' bit */
175 0 : md->buf[md->curlen++] = (uint8_t)0x80;
176 :
177 : /* if the length is currently above 56 bytes we append zeros
178 : * then compress. Then we can fall back to padding zeros and length
179 : * encoding like normal.
180 : */
181 0 : if (md->curlen > 56) {
182 0 : while (md->curlen < 64) {
183 0 : md->buf[md->curlen++] = (uint8_t)0;
184 : }
185 0 : sha256_compress(md, md->buf);
186 0 : md->curlen = 0;
187 : }
188 :
189 : /* pad upto 56 bytes of zeroes */
190 0 : while (md->curlen < 56) {
191 0 : md->buf[md->curlen++] = (uint8_t)0;
192 : }
193 :
194 : /* store length */
195 0 : STORE64H(md->length, md->buf + 56);
196 0 : sha256_compress(md, md->buf);
197 :
198 : /* copy output */
199 0 : for (i = 0; i < 8; i++) {
200 0 : STORE32H(md->state[i], out + (4 * i));
201 : }
202 : }
203 :
204 0 : void sha256_hash(const uint8_t *data, size_t len, uint8_t *digest)
205 : {
206 0 : sha256_context md;
207 0 : sha256_init(&md);
208 0 : sha256_process(&md, data, len);
209 0 : sha256_done(&md, digest);
210 0 : }
|
