1143334Scperciva/*-
2143334Scperciva * Copyright 2005 Colin Percival
3143334Scperciva * All rights reserved.
4143334Scperciva *
5143334Scperciva * Redistribution and use in source and binary forms, with or without
6143334Scperciva * modification, are permitted provided that the following conditions
7143334Scperciva * are met:
8143334Scperciva * 1. Redistributions of source code must retain the above copyright
9143334Scperciva *    notice, this list of conditions and the following disclaimer.
10143334Scperciva * 2. Redistributions in binary form must reproduce the above copyright
11143334Scperciva *    notice, this list of conditions and the following disclaimer in the
12143334Scperciva *    documentation and/or other materials provided with the distribution.
13143334Scperciva *
14143334Scperciva * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15143334Scperciva * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16143334Scperciva * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17143334Scperciva * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18143334Scperciva * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19143334Scperciva * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20143334Scperciva * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21143334Scperciva * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22143334Scperciva * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23143334Scperciva * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24143334Scperciva * SUCH DAMAGE.
25143334Scperciva */
26143334Scperciva
27143334Scperciva#include <sys/cdefs.h>
28143334Scperciva__FBSDID("$FreeBSD$");
29143334Scperciva
30143334Scperciva#include <sys/endian.h>
31143334Scperciva#include <sys/types.h>
32143334Scperciva
33143334Scperciva#include <string.h>
34143334Scperciva
35143334Scperciva#include "sha256.h"
36143334Scperciva
37143334Scperciva#if BYTE_ORDER == BIG_ENDIAN
38143334Scperciva
39143334Scperciva/* Copy a vector of big-endian uint32_t into a vector of bytes */
40143334Scperciva#define be32enc_vect(dst, src, len)	\
41143334Scperciva	memcpy((void *)dst, (const void *)src, (size_t)len)
42143334Scperciva
43143334Scperciva/* Copy a vector of bytes into a vector of big-endian uint32_t */
44143334Scperciva#define be32dec_vect(dst, src, len)	\
45143334Scperciva	memcpy((void *)dst, (const void *)src, (size_t)len)
46143334Scperciva
47143334Scperciva#else /* BYTE_ORDER != BIG_ENDIAN */
48143334Scperciva
49143334Scperciva/*
50143334Scperciva * Encode a length len/4 vector of (uint32_t) into a length len vector of
51143334Scperciva * (unsigned char) in big-endian form.  Assumes len is a multiple of 4.
52143334Scperciva */
53143334Scpercivastatic void
54143334Scpercivabe32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
55143334Scperciva{
56143334Scperciva	size_t i;
57143334Scperciva
58143334Scperciva	for (i = 0; i < len / 4; i++)
59143334Scperciva		be32enc(dst + i * 4, src[i]);
60143334Scperciva}
61143334Scperciva
62143334Scperciva/*
63143334Scperciva * Decode a big-endian length len vector of (unsigned char) into a length
64143334Scperciva * len/4 vector of (uint32_t).  Assumes len is a multiple of 4.
65143334Scperciva */
66143334Scpercivastatic void
67143334Scpercivabe32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
68143334Scperciva{
69143334Scperciva	size_t i;
70143334Scperciva
71143334Scperciva	for (i = 0; i < len / 4; i++)
72143334Scperciva		dst[i] = be32dec(src + i * 4);
73143334Scperciva}
74143334Scperciva
75143334Scperciva#endif /* BYTE_ORDER != BIG_ENDIAN */
76143334Scperciva
77143334Scperciva/* Elementary functions used by SHA256 */
78143334Scperciva#define Ch(x, y, z)	((x & (y ^ z)) ^ z)
79143334Scperciva#define Maj(x, y, z)	((x & (y | z)) | (y & z))
80143334Scperciva#define SHR(x, n)	(x >> n)
81143334Scperciva#define ROTR(x, n)	((x >> n) | (x << (32 - n)))
82143334Scperciva#define S0(x)		(ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
83143334Scperciva#define S1(x)		(ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
84143334Scperciva#define s0(x)		(ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
85143334Scperciva#define s1(x)		(ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
86143334Scperciva
87143334Scperciva/* SHA256 round function */
88143334Scperciva#define RND(a, b, c, d, e, f, g, h, k)			\
89143334Scperciva	t0 = h + S1(e) + Ch(e, f, g) + k;		\
90143334Scperciva	t1 = S0(a) + Maj(a, b, c);			\
91143334Scperciva	d += t0;					\
92143334Scperciva	h  = t0 + t1;
93143334Scperciva
94143334Scperciva/* Adjusted round function for rotating state */
95143334Scperciva#define RNDr(S, W, i, k)			\
96143334Scperciva	RND(S[(64 - i) % 8], S[(65 - i) % 8],	\
97143334Scperciva	    S[(66 - i) % 8], S[(67 - i) % 8],	\
98143334Scperciva	    S[(68 - i) % 8], S[(69 - i) % 8],	\
99143334Scperciva	    S[(70 - i) % 8], S[(71 - i) % 8],	\
100143334Scperciva	    W[i] + k)
101143334Scperciva
102143334Scperciva/*
103143334Scperciva * SHA256 block compression function.  The 256-bit state is transformed via
104143334Scperciva * the 512-bit input block to produce a new state.
105143334Scperciva */
106143334Scpercivastatic void
107143334ScpercivaSHA256_Transform(uint32_t * state, const unsigned char block[64])
108143334Scperciva{
109143334Scperciva	uint32_t W[64];
110143334Scperciva	uint32_t S[8];
111143334Scperciva	uint32_t t0, t1;
112143334Scperciva	int i;
113143334Scperciva
114143334Scperciva	/* 1. Prepare message schedule W. */
115143334Scperciva	be32dec_vect(W, block, 64);
116143334Scperciva	for (i = 16; i < 64; i++)
117143334Scperciva		W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16];
118143334Scperciva
119143334Scperciva	/* 2. Initialize working variables. */
120143334Scperciva	memcpy(S, state, 32);
121143334Scperciva
122143334Scperciva	/* 3. Mix. */
123143334Scperciva	RNDr(S, W, 0, 0x428a2f98);
124143334Scperciva	RNDr(S, W, 1, 0x71374491);
125143334Scperciva	RNDr(S, W, 2, 0xb5c0fbcf);
126143334Scperciva	RNDr(S, W, 3, 0xe9b5dba5);
127143334Scperciva	RNDr(S, W, 4, 0x3956c25b);
128143334Scperciva	RNDr(S, W, 5, 0x59f111f1);
129143334Scperciva	RNDr(S, W, 6, 0x923f82a4);
130143334Scperciva	RNDr(S, W, 7, 0xab1c5ed5);
131143334Scperciva	RNDr(S, W, 8, 0xd807aa98);
132143334Scperciva	RNDr(S, W, 9, 0x12835b01);
133143334Scperciva	RNDr(S, W, 10, 0x243185be);
134143334Scperciva	RNDr(S, W, 11, 0x550c7dc3);
135143334Scperciva	RNDr(S, W, 12, 0x72be5d74);
136143334Scperciva	RNDr(S, W, 13, 0x80deb1fe);
137143334Scperciva	RNDr(S, W, 14, 0x9bdc06a7);
138143334Scperciva	RNDr(S, W, 15, 0xc19bf174);
139143334Scperciva	RNDr(S, W, 16, 0xe49b69c1);
140143334Scperciva	RNDr(S, W, 17, 0xefbe4786);
141143334Scperciva	RNDr(S, W, 18, 0x0fc19dc6);
142143334Scperciva	RNDr(S, W, 19, 0x240ca1cc);
143143334Scperciva	RNDr(S, W, 20, 0x2de92c6f);
144143334Scperciva	RNDr(S, W, 21, 0x4a7484aa);
145143334Scperciva	RNDr(S, W, 22, 0x5cb0a9dc);
146143334Scperciva	RNDr(S, W, 23, 0x76f988da);
147143334Scperciva	RNDr(S, W, 24, 0x983e5152);
148143334Scperciva	RNDr(S, W, 25, 0xa831c66d);
149143334Scperciva	RNDr(S, W, 26, 0xb00327c8);
150143334Scperciva	RNDr(S, W, 27, 0xbf597fc7);
151143334Scperciva	RNDr(S, W, 28, 0xc6e00bf3);
152143334Scperciva	RNDr(S, W, 29, 0xd5a79147);
153143334Scperciva	RNDr(S, W, 30, 0x06ca6351);
154143334Scperciva	RNDr(S, W, 31, 0x14292967);
155143334Scperciva	RNDr(S, W, 32, 0x27b70a85);
156143334Scperciva	RNDr(S, W, 33, 0x2e1b2138);
157143334Scperciva	RNDr(S, W, 34, 0x4d2c6dfc);
158143334Scperciva	RNDr(S, W, 35, 0x53380d13);
159143334Scperciva	RNDr(S, W, 36, 0x650a7354);
160143334Scperciva	RNDr(S, W, 37, 0x766a0abb);
161143334Scperciva	RNDr(S, W, 38, 0x81c2c92e);
162143334Scperciva	RNDr(S, W, 39, 0x92722c85);
163143334Scperciva	RNDr(S, W, 40, 0xa2bfe8a1);
164143334Scperciva	RNDr(S, W, 41, 0xa81a664b);
165143334Scperciva	RNDr(S, W, 42, 0xc24b8b70);
166143334Scperciva	RNDr(S, W, 43, 0xc76c51a3);
167143334Scperciva	RNDr(S, W, 44, 0xd192e819);
168143334Scperciva	RNDr(S, W, 45, 0xd6990624);
169143334Scperciva	RNDr(S, W, 46, 0xf40e3585);
170143334Scperciva	RNDr(S, W, 47, 0x106aa070);
171143334Scperciva	RNDr(S, W, 48, 0x19a4c116);
172143334Scperciva	RNDr(S, W, 49, 0x1e376c08);
173143334Scperciva	RNDr(S, W, 50, 0x2748774c);
174143334Scperciva	RNDr(S, W, 51, 0x34b0bcb5);
175143334Scperciva	RNDr(S, W, 52, 0x391c0cb3);
176143334Scperciva	RNDr(S, W, 53, 0x4ed8aa4a);
177143334Scperciva	RNDr(S, W, 54, 0x5b9cca4f);
178143334Scperciva	RNDr(S, W, 55, 0x682e6ff3);
179143334Scperciva	RNDr(S, W, 56, 0x748f82ee);
180143334Scperciva	RNDr(S, W, 57, 0x78a5636f);
181143334Scperciva	RNDr(S, W, 58, 0x84c87814);
182143334Scperciva	RNDr(S, W, 59, 0x8cc70208);
183143334Scperciva	RNDr(S, W, 60, 0x90befffa);
184143334Scperciva	RNDr(S, W, 61, 0xa4506ceb);
185143334Scperciva	RNDr(S, W, 62, 0xbef9a3f7);
186143334Scperciva	RNDr(S, W, 63, 0xc67178f2);
187143334Scperciva
188143334Scperciva	/* 4. Mix local working variables into global state */
189143334Scperciva	for (i = 0; i < 8; i++)
190143334Scperciva		state[i] += S[i];
191143334Scperciva}
192143334Scperciva
193143334Scpercivastatic unsigned char PAD[64] = {
194143334Scperciva	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
195143334Scperciva	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
196143334Scperciva	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
197143334Scperciva	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
198143334Scperciva};
199143334Scperciva
200143334Scperciva/* Add padding and terminating bit-count. */
201143334Scpercivastatic void
202143334ScpercivaSHA256_Pad(SHA256_CTX * ctx)
203143334Scperciva{
204143334Scperciva	unsigned char len[8];
205143334Scperciva	uint32_t r, plen;
206143334Scperciva
207143334Scperciva	/*
208143334Scperciva	 * Convert length to a vector of bytes -- we do this now rather
209143334Scperciva	 * than later because the length will change after we pad.
210143334Scperciva	 */
211143334Scperciva	be32enc_vect(len, ctx->count, 8);
212143334Scperciva
213143334Scperciva	/* Add 1--64 bytes so that the resulting length is 56 mod 64 */
214143334Scperciva	r = (ctx->count[1] >> 3) & 0x3f;
215143334Scperciva	plen = (r < 56) ? (56 - r) : (120 - r);
216143334Scperciva	SHA256_Update(ctx, PAD, (size_t)plen);
217143334Scperciva
218143334Scperciva	/* Add the terminating bit-count */
219143334Scperciva	SHA256_Update(ctx, len, 8);
220143334Scperciva}
221143334Scperciva
222143334Scperciva/* SHA-256 initialization.  Begins a SHA-256 operation. */
223143334Scpercivavoid
224143334ScpercivaSHA256_Init(SHA256_CTX * ctx)
225143334Scperciva{
226143334Scperciva
227143334Scperciva	/* Zero bits processed so far */
228143334Scperciva	ctx->count[0] = ctx->count[1] = 0;
229143334Scperciva
230143334Scperciva	/* Magic initialization constants */
231143334Scperciva	ctx->state[0] = 0x6A09E667;
232143334Scperciva	ctx->state[1] = 0xBB67AE85;
233143334Scperciva	ctx->state[2] = 0x3C6EF372;
234143334Scperciva	ctx->state[3] = 0xA54FF53A;
235143334Scperciva	ctx->state[4] = 0x510E527F;
236143334Scperciva	ctx->state[5] = 0x9B05688C;
237143334Scperciva	ctx->state[6] = 0x1F83D9AB;
238143334Scperciva	ctx->state[7] = 0x5BE0CD19;
239143334Scperciva}
240143334Scperciva
241143334Scperciva/* Add bytes into the hash */
242143334Scpercivavoid
243154479SphkSHA256_Update(SHA256_CTX * ctx, const void *in, size_t len)
244143334Scperciva{
245143334Scperciva	uint32_t bitlen[2];
246143334Scperciva	uint32_t r;
247154479Sphk	const unsigned char *src = in;
248143334Scperciva
249143334Scperciva	/* Number of bytes left in the buffer from previous updates */
250143334Scperciva	r = (ctx->count[1] >> 3) & 0x3f;
251143334Scperciva
252143334Scperciva	/* Convert the length into a number of bits */
253143334Scperciva	bitlen[1] = ((uint32_t)len) << 3;
254143334Scperciva	bitlen[0] = (uint32_t)(len >> 29);
255143334Scperciva
256143334Scperciva	/* Update number of bits */
257143334Scperciva	if ((ctx->count[1] += bitlen[1]) < bitlen[1])
258143334Scperciva		ctx->count[0]++;
259143334Scperciva	ctx->count[0] += bitlen[0];
260143334Scperciva
261143334Scperciva	/* Handle the case where we don't need to perform any transforms */
262143334Scperciva	if (len < 64 - r) {
263143334Scperciva		memcpy(&ctx->buf[r], src, len);
264143334Scperciva		return;
265143334Scperciva	}
266143334Scperciva
267143334Scperciva	/* Finish the current block */
268143334Scperciva	memcpy(&ctx->buf[r], src, 64 - r);
269143334Scperciva	SHA256_Transform(ctx->state, ctx->buf);
270143334Scperciva	src += 64 - r;
271143334Scperciva	len -= 64 - r;
272143334Scperciva
273143334Scperciva	/* Perform complete blocks */
274143334Scperciva	while (len >= 64) {
275143334Scperciva		SHA256_Transform(ctx->state, src);
276143334Scperciva		src += 64;
277143334Scperciva		len -= 64;
278143334Scperciva	}
279143334Scperciva
280143334Scperciva	/* Copy left over data into buffer */
281143334Scperciva	memcpy(ctx->buf, src, len);
282143334Scperciva}
283143334Scperciva
284143334Scperciva/*
285143334Scperciva * SHA-256 finalization.  Pads the input data, exports the hash value,
286143334Scperciva * and clears the context state.
287143334Scperciva */
288143334Scpercivavoid
289143334ScpercivaSHA256_Final(unsigned char digest[32], SHA256_CTX * ctx)
290143334Scperciva{
291143334Scperciva
292143334Scperciva	/* Add padding */
293143334Scperciva	SHA256_Pad(ctx);
294143334Scperciva
295143334Scperciva	/* Write the hash */
296143334Scperciva	be32enc_vect(digest, ctx->state, 32);
297143334Scperciva
298143334Scperciva	/* Clear the context state */
299143334Scperciva	memset((void *)ctx, 0, sizeof(*ctx));
300143334Scperciva}
301