RTEMS
sha256c.c
1 /*-
2  * Copyright 2005 Colin Percival
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  * notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  * notice, this list of conditions and the following disclaimer in the
12  * documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  */
26 
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
29 
30 #include <sys/endian.h>
31 #include <sys/types.h>
32 
33 #include <string.h>
34 
35 #include "sha256.h"
36 
37 #if BYTE_ORDER == BIG_ENDIAN
38 
39 /* Copy a vector of big-endian uint32_t into a vector of bytes */
40 #define be32enc_vect(dst, src, len) \
41  memcpy((void *)dst, (const void *)src, (size_t)len)
42 
43 /* Copy a vector of bytes into a vector of big-endian uint32_t */
44 #define be32dec_vect(dst, src, len) \
45  memcpy((void *)dst, (const void *)src, (size_t)len)
46 
47 #else /* BYTE_ORDER != BIG_ENDIAN */
48 
49 /*
50  * Encode a length len/4 vector of (uint32_t) into a length len vector of
51  * (unsigned char) in big-endian form. Assumes len is a multiple of 4.
52  */
53 static void
54 be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
55 {
56  size_t i;
57 
58  for (i = 0; i < len / 4; i++)
59  be32enc(dst + i * 4, src[i]);
60 }
61 
62 /*
63  * Decode a big-endian length len vector of (unsigned char) into a length
64  * len/4 vector of (uint32_t). Assumes len is a multiple of 4.
65  */
66 static void
67 be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
68 {
69  size_t i;
70 
71  for (i = 0; i < len / 4; i++)
72  dst[i] = be32dec(src + i * 4);
73 }
74 
75 #endif /* BYTE_ORDER != BIG_ENDIAN */
76 
77 /* Elementary functions used by SHA256 */
78 #define Ch(x, y, z) ((x & (y ^ z)) ^ z)
79 #define Maj(x, y, z) ((x & (y | z)) | (y & z))
80 #define SHR(x, n) (x >> n)
81 #define ROTR(x, n) ((x >> n) | (x << (32 - n)))
82 #define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
83 #define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
84 #define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
85 #define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
86 
87 /* SHA256 round function */
88 #define RND(a, b, c, d, e, f, g, h, k) \
89  t0 = h + S1(e) + Ch(e, f, g) + k; \
90  t1 = S0(a) + Maj(a, b, c); \
91  d += t0; \
92  h = t0 + t1;
93 
94 /* Adjusted round function for rotating state */
95 #define RNDr(S, W, i, k) \
96  RND(S[(64 - i) % 8], S[(65 - i) % 8], \
97  S[(66 - i) % 8], S[(67 - i) % 8], \
98  S[(68 - i) % 8], S[(69 - i) % 8], \
99  S[(70 - i) % 8], S[(71 - i) % 8], \
100  W[i] + k)
101 
102 /*
103  * SHA256 block compression function. The 256-bit state is transformed via
104  * the 512-bit input block to produce a new state.
105  */
106 static void
107 SHA256_Transform(uint32_t * state, const unsigned char block[64])
108 {
109  uint32_t W[64];
110  uint32_t S[8];
111  uint32_t t0, t1;
112  int i;
113 
114  /* 1. Prepare message schedule W. */
115  be32dec_vect(W, block, 64);
116  for (i = 16; i < 64; i++)
117  W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16];
118 
119  /* 2. Initialize working variables. */
120  memcpy(S, state, 32);
121 
122  /* 3. Mix. */
123  RNDr(S, W, 0, 0x428a2f98);
124  RNDr(S, W, 1, 0x71374491);
125  RNDr(S, W, 2, 0xb5c0fbcf);
126  RNDr(S, W, 3, 0xe9b5dba5);
127  RNDr(S, W, 4, 0x3956c25b);
128  RNDr(S, W, 5, 0x59f111f1);
129  RNDr(S, W, 6, 0x923f82a4);
130  RNDr(S, W, 7, 0xab1c5ed5);
131  RNDr(S, W, 8, 0xd807aa98);
132  RNDr(S, W, 9, 0x12835b01);
133  RNDr(S, W, 10, 0x243185be);
134  RNDr(S, W, 11, 0x550c7dc3);
135  RNDr(S, W, 12, 0x72be5d74);
136  RNDr(S, W, 13, 0x80deb1fe);
137  RNDr(S, W, 14, 0x9bdc06a7);
138  RNDr(S, W, 15, 0xc19bf174);
139  RNDr(S, W, 16, 0xe49b69c1);
140  RNDr(S, W, 17, 0xefbe4786);
141  RNDr(S, W, 18, 0x0fc19dc6);
142  RNDr(S, W, 19, 0x240ca1cc);
143  RNDr(S, W, 20, 0x2de92c6f);
144  RNDr(S, W, 21, 0x4a7484aa);
145  RNDr(S, W, 22, 0x5cb0a9dc);
146  RNDr(S, W, 23, 0x76f988da);
147  RNDr(S, W, 24, 0x983e5152);
148  RNDr(S, W, 25, 0xa831c66d);
149  RNDr(S, W, 26, 0xb00327c8);
150  RNDr(S, W, 27, 0xbf597fc7);
151  RNDr(S, W, 28, 0xc6e00bf3);
152  RNDr(S, W, 29, 0xd5a79147);
153  RNDr(S, W, 30, 0x06ca6351);
154  RNDr(S, W, 31, 0x14292967);
155  RNDr(S, W, 32, 0x27b70a85);
156  RNDr(S, W, 33, 0x2e1b2138);
157  RNDr(S, W, 34, 0x4d2c6dfc);
158  RNDr(S, W, 35, 0x53380d13);
159  RNDr(S, W, 36, 0x650a7354);
160  RNDr(S, W, 37, 0x766a0abb);
161  RNDr(S, W, 38, 0x81c2c92e);
162  RNDr(S, W, 39, 0x92722c85);
163  RNDr(S, W, 40, 0xa2bfe8a1);
164  RNDr(S, W, 41, 0xa81a664b);
165  RNDr(S, W, 42, 0xc24b8b70);
166  RNDr(S, W, 43, 0xc76c51a3);
167  RNDr(S, W, 44, 0xd192e819);
168  RNDr(S, W, 45, 0xd6990624);
169  RNDr(S, W, 46, 0xf40e3585);
170  RNDr(S, W, 47, 0x106aa070);
171  RNDr(S, W, 48, 0x19a4c116);
172  RNDr(S, W, 49, 0x1e376c08);
173  RNDr(S, W, 50, 0x2748774c);
174  RNDr(S, W, 51, 0x34b0bcb5);
175  RNDr(S, W, 52, 0x391c0cb3);
176  RNDr(S, W, 53, 0x4ed8aa4a);
177  RNDr(S, W, 54, 0x5b9cca4f);
178  RNDr(S, W, 55, 0x682e6ff3);
179  RNDr(S, W, 56, 0x748f82ee);
180  RNDr(S, W, 57, 0x78a5636f);
181  RNDr(S, W, 58, 0x84c87814);
182  RNDr(S, W, 59, 0x8cc70208);
183  RNDr(S, W, 60, 0x90befffa);
184  RNDr(S, W, 61, 0xa4506ceb);
185  RNDr(S, W, 62, 0xbef9a3f7);
186  RNDr(S, W, 63, 0xc67178f2);
187 
188  /* 4. Mix local working variables into global state */
189  for (i = 0; i < 8; i++)
190  state[i] += S[i];
191 }
192 
193 static const unsigned char PAD[64] = {
194  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
195  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
196  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
197  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
198 };
199 
200 /* Add padding and terminating bit-count. */
201 static void
202 SHA256_Pad(SHA256_CTX * ctx)
203 {
204  unsigned char len[8];
205  uint32_t r, plen;
206 
207  /*
208  * Convert length to a vector of bytes -- we do this now rather
209  * than later because the length will change after we pad.
210  */
211  be64enc(len, ctx->count);
212 
213  /* Add 1--64 bytes so that the resulting length is 56 mod 64 */
214  r = (ctx->count >> 3) & 0x3f;
215  plen = (r < 56) ? (56 - r) : (120 - r);
216  SHA256_Update(ctx, PAD, (size_t)plen);
217 
218  /* Add the terminating bit-count */
219  SHA256_Update(ctx, len, 8);
220 }
221 
222 /* SHA-256 initialization. Begins a SHA-256 operation. */
223 void
224 SHA256_Init(SHA256_CTX * ctx)
225 {
226 
227  /* Zero bits processed so far */
228  ctx->count = 0;
229 
230  /* Magic initialization constants */
231  ctx->state[0] = 0x6A09E667;
232  ctx->state[1] = 0xBB67AE85;
233  ctx->state[2] = 0x3C6EF372;
234  ctx->state[3] = 0xA54FF53A;
235  ctx->state[4] = 0x510E527F;
236  ctx->state[5] = 0x9B05688C;
237  ctx->state[6] = 0x1F83D9AB;
238  ctx->state[7] = 0x5BE0CD19;
239 }
240 
241 /* Add bytes into the hash */
242 void
243 SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len)
244 {
245  uint64_t bitlen;
246  uint32_t r;
247  const unsigned char *src = in;
248 
249  /* Number of bytes left in the buffer from previous updates */
250  r = (ctx->count >> 3) & 0x3f;
251 
252  /* Convert the length into a number of bits */
253  bitlen = len << 3;
254 
255  /* Update number of bits */
256  ctx->count += bitlen;
257 
258  /* Handle the case where we don't need to perform any transforms */
259  if (len < 64 - r) {
260  memcpy(&ctx->buf[r], src, len);
261  return;
262  }
263 
264  /* Finish the current block */
265  memcpy(&ctx->buf[r], src, 64 - r);
266  SHA256_Transform(ctx->state, ctx->buf);
267  src += 64 - r;
268  len -= 64 - r;
269 
270  /* Perform complete blocks */
271  while (len >= 64) {
272  SHA256_Transform(ctx->state, src);
273  src += 64;
274  len -= 64;
275  }
276 
277  /* Copy left over data into buffer */
278  memcpy(ctx->buf, src, len);
279 }
280 
281 /*
282  * SHA-256 finalization. Pads the input data, exports the hash value,
283  * and clears the context state.
284  */
285 void
286 SHA256_Final(unsigned char digest[32], SHA256_CTX * ctx)
287 {
288 
289  /* Add padding */
290  SHA256_Pad(ctx);
291 
292  /* Write the hash */
293  be32enc_vect(digest, ctx->state, 32);
294 
295  /* Clear the context state */
296  memset((void *)ctx, 0, sizeof(*ctx));
297 }
Generated by   doxygen 1.8.14