1/*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 *     http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16//! This module implements the SHA256 hash algorithm.
17
18const LOWER_BYTES_MASK: u32 = 0xff;
19const BITS_PER_U8: usize = 8;
20const U8_PER_U32: usize = 4;
21const SHA256_LEN: usize = 32;
22const BYTES_PER_CHUNK: usize = 64;
23
24const SHA256_H: [u32; 8] =
25    [0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19];
26
27const SHA256_K: [u32; 64] = [
28    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98,
29    0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
30    0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 0xa831c66d, 0xb00327c8,
31    0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
32    0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819,
33    0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
34    0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7,
35    0xc67178f2,
36];
37
38fn expand_chunk(plain_chunk: [u8; BYTES_PER_CHUNK]) -> [u32; BYTES_PER_CHUNK] {
39    let mut expanded_chunk = [0; BYTES_PER_CHUNK];
40    for (i, item) in expanded_chunk.iter_mut().enumerate().take(16) {
41        let offset = i * U8_PER_U32;
42        *item = ((plain_chunk[offset] as u32) << 24)
43            | ((plain_chunk[offset + 1] as u32) << 16)
44            | ((plain_chunk[offset + 2] as u32) << 8)
45            | (plain_chunk[offset + 3] as u32);
46    }
47
48    for i in 16..64 {
49        let s0 = expanded_chunk[i - 15].rotate_right(7)
50            ^ expanded_chunk[i - 15].rotate_right(18)
51            ^ (expanded_chunk[i - 15] >> 3);
52        let s1 = expanded_chunk[i - 2].rotate_right(17)
53            ^ expanded_chunk[i - 2].rotate_right(19)
54            ^ (expanded_chunk[i - 2] >> 10);
55        expanded_chunk[i] =
56            expanded_chunk[i - 16].wrapping_add(s0).wrapping_add(expanded_chunk[i - 7]).wrapping_add(s1);
57    }
58    expanded_chunk
59}
60
61fn compress_chunk(expanded_chunk: [u32; 64]) -> [u32; 8] {
62    let mut compressed_chunk: [u32; 8] = SHA256_H;
63    for i in 0..64 {
64        let s1 = compressed_chunk[4].rotate_right(6)
65            ^ compressed_chunk[4].rotate_right(11)
66            ^ compressed_chunk[4].rotate_right(25);
67        let choose = (compressed_chunk[4] & compressed_chunk[5]) ^ ((!compressed_chunk[4]) & compressed_chunk[6]);
68        let temp1 = compressed_chunk[7]
69            .wrapping_add(s1)
70            .wrapping_add(choose)
71            .wrapping_add(SHA256_K[i])
72            .wrapping_add(expanded_chunk[i]);
73        let s0 = compressed_chunk[0].rotate_right(2)
74            ^ compressed_chunk[0].rotate_right(13)
75            ^ compressed_chunk[0].rotate_right(22);
76        let major = (compressed_chunk[0] & compressed_chunk[1])
77            ^ (compressed_chunk[0] & compressed_chunk[2])
78            ^ (compressed_chunk[1] & compressed_chunk[2]);
79        let temp2 = s0.wrapping_add(major);
80        compressed_chunk[7] = compressed_chunk[6];
81        compressed_chunk[6] = compressed_chunk[5];
82        compressed_chunk[5] = compressed_chunk[4];
83        compressed_chunk[4] = compressed_chunk[3].wrapping_add(temp1);
84        compressed_chunk[3] = compressed_chunk[2];
85        compressed_chunk[2] = compressed_chunk[1];
86        compressed_chunk[1] = compressed_chunk[0];
87        compressed_chunk[0] = temp1.wrapping_add(temp2);
88    }
89    compressed_chunk
90}
91
92fn compress(input_bytes: &[u8]) -> [u32; 8] {
93    let mut compress = SHA256_H;
94    let chunk_num = input_bytes.len() / BYTES_PER_CHUNK;
95    for i in 0..chunk_num {
96        // the try_into of array cannot be failed, for the length of plain_chunk is sure to be 64 as expected
97        let expanded_chunk =
98            expand_chunk(input_bytes[i * BYTES_PER_CHUNK..(i + 1) * BYTES_PER_CHUNK].try_into().unwrap());
99        let compressed_chunk: [u32; 8] = compress_chunk(expanded_chunk);
100        for j in 0..8 {
101            compress[j] = compress[j].wrapping_add(compressed_chunk[j]);
102        }
103    }
104    compress
105}
106
107fn pre_process_msg(message: &[u8]) -> Vec<u8> {
108    // padding
109    let mut message = message.to_vec();
110    let msg_len = message.len();
111    let padding_len =
112        if msg_len % BYTES_PER_CHUNK < 56 { 56 - msg_len % BYTES_PER_CHUNK } else { 120 - msg_len % BYTES_PER_CHUNK };
113
114    message.push(0x80); // 1000 0000
115    message.append(&mut vec![0x00; padding_len - 1]);
116
117    let msg_bit_len = msg_len * BITS_PER_U8;
118    for i in 0..8 {
119        let split_byte = ((msg_bit_len >> (56 - i * BITS_PER_U8)) & LOWER_BYTES_MASK as usize) as u8;
120        message.push(split_byte);
121    }
122    message
123}
124
125fn into_vec_u8(hash: &[u32; 8]) -> Vec<u8> {
126    let mut ret = [0; SHA256_LEN];
127    for i in 0..hash.len() {
128        ret[i * U8_PER_U32] = ((hash[i] >> 24) & LOWER_BYTES_MASK) as u8;
129        ret[i * U8_PER_U32 + 1] = ((hash[i] >> 16) & LOWER_BYTES_MASK) as u8;
130        ret[i * U8_PER_U32 + 2] = ((hash[i] >> 8) & LOWER_BYTES_MASK) as u8;
131        ret[i * U8_PER_U32 + 3] = (hash[i] & LOWER_BYTES_MASK) as u8;
132    }
133
134    ret.to_vec()
135}
136
137extern "C" {
138    fn Sha256(input: *const u8, input_len: u32, output: *mut u8);
139}
140
141const SHA256_OUTPUT_LEN: usize = 32;
142
143/// the function to execute sha256 by openssl.
144fn sha256_new(message: &[u8]) -> Vec<u8> {
145    let mut res = vec![0; SHA256_OUTPUT_LEN];
146    unsafe { Sha256(message.as_ptr(), message.len() as u32, res.as_mut_ptr()) }
147    res
148}
149
150/// the function to execute sha256 by self-implemented.
151fn sha256_old(message: &[u8]) -> Vec<u8> {
152    let processed_msg = pre_process_msg(message);
153    into_vec_u8(&compress(&processed_msg))
154}
155
156/// the function to execute sha256
157pub fn sha256(standard: bool, message: &[u8]) -> Vec<u8> {
158    if standard {
159        return sha256_new(message);
160    }
161
162    sha256_old(message)
163}
164