xref: /third_party/FreeBSD/sys/crypto/sha2/sha256c.c (revision f9f848fa) 
1/*-
2 * Copyright 2005 Colin Percival
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27#include <sys/cdefs.h>
28#include <endian.h>
29#include <sys/types.h>
30
31#ifdef _KERNEL
32#include <sys/systm.h>
33#else
34#include <string.h>
35#endif
36
37#include "sha256.h"
38
39#if BYTE_ORDER == BIG_ENDIAN
40
41/* Copy a vector of big-endian uint32_t into a vector of bytes */
42#define be32enc_vect(dst, src, len)	\
43	memcpy((void *)dst, (const void *)src, (size_t)len)
44
45/* Copy a vector of bytes into a vector of big-endian uint32_t */
46#define be32dec_vect(dst, src, len)	\
47	memcpy((void *)dst, (const void *)src, (size_t)len)
48
49#else /* BYTE_ORDER != BIG_ENDIAN */
50
51/*
52 * Encode a length len/4 vector of (uint32_t) into a length len vector of
53 * (unsigned char) in big-endian form.  Assumes len is a multiple of 4.
54 */
55static void
56be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
57{
58	size_t i;
59
60	for (i = 0; i < len / 4; i++)
61		be32enc(dst + i * 4, src[i]);
62}
63
64/*
65 * Decode a big-endian length len vector of (unsigned char) into a length
66 * len/4 vector of (uint32_t).  Assumes len is a multiple of 4.
67 */
68static void
69be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
70{
71	size_t i;
72
73	for (i = 0; i < len / 4; i++)
74		dst[i] = be32dec(src + i * 4);
75}
76
77#endif /* BYTE_ORDER != BIG_ENDIAN */
78
79/* SHA256 round constants. */
80static const uint32_t K[64] = {
81	0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
82	0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
83	0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
84	0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
85	0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
86	0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
87	0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
88	0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
89	0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
90	0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
91	0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
92	0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
93	0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
94	0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
95	0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
96	0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
97};
98
99/* Elementary functions used by SHA256 */
100#define Ch(x, y, z)	((x & (y ^ z)) ^ z)
101#define Maj(x, y, z)	((x & (y | z)) | (y & z))
102#define SHR(x, n)	(x >> n)
103#define ROTR(x, n)	((x >> n) | (x << (32 - n)))
104#define S0(x)		(ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
105#define S1(x)		(ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
106#define s0(x)		(ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
107#define s1(x)		(ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
108
109/* SHA256 round function */
110#define RND(a, b, c, d, e, f, g, h, k)			\
111	h += S1(e) + Ch(e, f, g) + k;			\
112	d += h;						\
113	h += S0(a) + Maj(a, b, c);
114
115/* Adjusted round function for rotating state */
116#define RNDr(S, W, i, ii)			\
117	RND(S[(64 - i) % 8], S[(65 - i) % 8],	\
118	    S[(66 - i) % 8], S[(67 - i) % 8],	\
119	    S[(68 - i) % 8], S[(69 - i) % 8],	\
120	    S[(70 - i) % 8], S[(71 - i) % 8],	\
121	    W[i + ii] + K[i + ii])
122
123/* Message schedule computation */
124#define MSCH(W, ii, i)				\
125	W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii]
126
127/*
128 * SHA256 block compression function.  The 256-bit state is transformed via
129 * the 512-bit input block to produce a new state.
130 */
131static void
132SHA256_Transform(uint32_t * state, const unsigned char block[64])
133{
134	uint32_t W[64];
135	uint32_t S[8];
136	int i;
137
138	/* 1. Prepare the first part of the message schedule W. */
139	be32dec_vect(W, block, 64);
140
141	/* 2. Initialize working variables. */
142	memcpy(S, state, 32);
143
144	/* 3. Mix. */
145	for (i = 0; i < 64; i += 16) {
146		RNDr(S, W, 0, i);
147		RNDr(S, W, 1, i);
148		RNDr(S, W, 2, i);
149		RNDr(S, W, 3, i);
150		RNDr(S, W, 4, i);
151		RNDr(S, W, 5, i);
152		RNDr(S, W, 6, i);
153		RNDr(S, W, 7, i);
154		RNDr(S, W, 8, i);
155		RNDr(S, W, 9, i);
156		RNDr(S, W, 10, i);
157		RNDr(S, W, 11, i);
158		RNDr(S, W, 12, i);
159		RNDr(S, W, 13, i);
160		RNDr(S, W, 14, i);
161		RNDr(S, W, 15, i);
162
163		if (i == 48)
164			break;
165		MSCH(W, 0, i);
166		MSCH(W, 1, i);
167		MSCH(W, 2, i);
168		MSCH(W, 3, i);
169		MSCH(W, 4, i);
170		MSCH(W, 5, i);
171		MSCH(W, 6, i);
172		MSCH(W, 7, i);
173		MSCH(W, 8, i);
174		MSCH(W, 9, i);
175		MSCH(W, 10, i);
176		MSCH(W, 11, i);
177		MSCH(W, 12, i);
178		MSCH(W, 13, i);
179		MSCH(W, 14, i);
180		MSCH(W, 15, i);
181	}
182
183	/* 4. Mix local working variables into global state */
184	for (i = 0; i < 8; i++)
185		state[i] += S[i];
186}
187
188static unsigned char PAD[64] = {
189	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
190	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
191	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
192	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
193};
194
195/* Add padding and terminating bit-count. */
196static void
197SHA256_Pad(SHA256_CTX * ctx)
198{
199	size_t r;
200
201	/* Figure out how many bytes we have buffered. */
202	r = (ctx->count >> 3) & 0x3f;
203
204	/* Pad to 56 mod 64, transforming if we finish a block en route. */
205	if (r < 56) {
206		/* Pad to 56 mod 64. */
207		memcpy(&ctx->buf[r], PAD, 56 - r);
208	} else {
209		/* Finish the current block and mix. */
210		memcpy(&ctx->buf[r], PAD, 64 - r);
211		SHA256_Transform(ctx->state, ctx->buf);
212
213		/* The start of the final block is all zeroes. */
214		memset(&ctx->buf[0], 0, 56);
215	}
216
217	/* Add the terminating bit-count. */
218	be64enc(&ctx->buf[56], ctx->count);
219
220	/* Mix in the final block. */
221	SHA256_Transform(ctx->state, ctx->buf);
222}
223
224/* SHA-256 initialization.  Begins a SHA-256 operation. */
225void
226SHA256_Init(SHA256_CTX * ctx)
227{
228
229	/* Zero bits processed so far */
230	ctx->count = 0;
231
232	/* Magic initialization constants */
233	ctx->state[0] = 0x6A09E667;
234	ctx->state[1] = 0xBB67AE85;
235	ctx->state[2] = 0x3C6EF372;
236	ctx->state[3] = 0xA54FF53A;
237	ctx->state[4] = 0x510E527F;
238	ctx->state[5] = 0x9B05688C;
239	ctx->state[6] = 0x1F83D9AB;
240	ctx->state[7] = 0x5BE0CD19;
241}
242
243/* Add bytes into the hash */
244void
245SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len)
246{
247	uint64_t bitlen;
248	uint32_t r;
249	const unsigned char *src = in;
250
251	/* Number of bytes left in the buffer from previous updates */
252	r = (ctx->count >> 3) & 0x3f;
253
254	/* Convert the length into a number of bits */
255	bitlen = len << 3;
256
257	/* Update number of bits */
258	ctx->count += bitlen;
259
260	/* Handle the case where we don't need to perform any transforms */
261	if (len < 64 - r) {
262		memcpy(&ctx->buf[r], src, len);
263		return;
264	}
265
266	/* Finish the current block */
267	memcpy(&ctx->buf[r], src, 64 - r);
268	SHA256_Transform(ctx->state, ctx->buf);
269	src += 64 - r;
270	len -= 64 - r;
271
272	/* Perform complete blocks */
273	while (len >= 64) {
274		SHA256_Transform(ctx->state, src);
275		src += 64;
276		len -= 64;
277	}
278
279	/* Copy left over data into buffer */
280	memcpy(ctx->buf, src, len);
281}
282
283/*
284 * SHA-256 finalization.  Pads the input data, exports the hash value,
285 * and clears the context state.
286 */
287void
288SHA256_Final(unsigned char digest[static SHA256_DIGEST_LENGTH], SHA256_CTX *ctx)
289{
290
291	/* Add padding */
292	SHA256_Pad(ctx);
293
294	/* Write the hash */
295	be32enc_vect(digest, ctx->state, SHA256_DIGEST_LENGTH);
296
297	/* Clear the context state */
298	memset(ctx, 0, sizeof(*ctx));
299}
300
301#ifdef WEAK_REFS
302/* When building libmd, provide weak references. Note: this is not
303   activated in the context of compiling these sources for internal
304   use in libcrypt.
305 */
306#undef SHA256_Init
307__weak_reference(_libmd_SHA256_Init, SHA256_Init);
308#undef SHA256_Update
309__weak_reference(_libmd_SHA256_Update, SHA256_Update);
310#undef SHA256_Final
311__weak_reference(_libmd_SHA256_Final, SHA256_Final);
312#undef SHA256_Transform
313__weak_reference(_libmd_SHA256_Transform, SHA256_Transform);
314#endif
315