]> git.ipfire.org Git - thirdparty/bird.git/blob - lib/sha256.c
projects / thirdparty / bird.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'master' into rip-new
[thirdparty/bird.git] / lib / sha256.c
1 /*
2 * BIRD Library -- SHA-256 and SHA-224 Hash Functions,
3 * HMAC-SHA-256 and HMAC-SHA-224 Functions
4 *
5 * (c) 2015 CZ.NIC z.s.p.o.
6 *
7 * Based on the code from libgcrypt-1.6.0, which is
8 * (c) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.
9 *
10 * Can be freely distributed and used under the terms of the GNU GPL.
11 */
12
13 #include "lib/sha256.h"
14 #include "lib/unaligned.h"
15
16
17 // #define SHA256_UNROLLED
18
19 void
20 sha256_init(struct sha256_context *ctx)
21 {
22 ctx->h0 = 0x6a09e667;
23 ctx->h1 = 0xbb67ae85;
24 ctx->h2 = 0x3c6ef372;
25 ctx->h3 = 0xa54ff53a;
26 ctx->h4 = 0x510e527f;
27 ctx->h5 = 0x9b05688c;
28 ctx->h6 = 0x1f83d9ab;
29 ctx->h7 = 0x5be0cd19;
30
31 ctx->nblocks = 0;
32 ctx->count = 0;
33 }
34
35 void
36 sha224_init(struct sha224_context *ctx)
37 {
38 ctx->h0 = 0xc1059ed8;
39 ctx->h1 = 0x367cd507;
40 ctx->h2 = 0x3070dd17;
41 ctx->h3 = 0xf70e5939;
42 ctx->h4 = 0xffc00b31;
43 ctx->h5 = 0x68581511;
44 ctx->h6 = 0x64f98fa7;
45 ctx->h7 = 0xbefa4fa4;
46
47 ctx->nblocks = 0;
48 ctx->count = 0;
49 }
50
51 /* (4.2) same as SHA-1's F1. */
52 static inline u32
53 f1(u32 x, u32 y, u32 z)
54 {
55 return (z ^ (x & (y ^ z)));
56 }
57
58 /* (4.3) same as SHA-1's F3 */
59 static inline u32
60 f3(u32 x, u32 y, u32 z)
61 {
62 return ((x & y) | (z & (x|y)));
63 }
64
65 /* Bitwise rotation of an uint to the right */
66 static inline u32 ror(u32 x, int n)
67 {
68 return ((x >> (n&(32-1))) | (x << ((32-n)&(32-1))));
69 }
70
71 /* (4.4) */
72 static inline u32
73 sum0(u32 x)
74 {
75 return (ror(x, 2) ^ ror(x, 13) ^ ror(x, 22));
76 }
77
78 /* (4.5) */
79 static inline u32
80 sum1(u32 x)
81 {
82 return (ror(x, 6) ^ ror(x, 11) ^ ror(x, 25));
83 }
84
85 /*
86 Transform the message X which consists of 16 32-bit-words. See FIPS
87 180-2 for details. */
88 #define S0(x) (ror((x), 7) ^ ror((x), 18) ^ ((x) >> 3)) /* (4.6) */
89 #define S1(x) (ror((x), 17) ^ ror((x), 19) ^ ((x) >> 10)) /* (4.7) */
90 #define R(a,b,c,d,e,f,g,h,k,w) \
91 do \
92 { \
93 t1 = (h) + sum1((e)) + f1((e),(f),(g)) + (k) + (w); \
94 t2 = sum0((a)) + f3((a),(b),(c)); \
95 h = g; \
96 g = f; \
97 f = e; \
98 e = d + t1; \
99 d = c; \
100 c = b; \
101 b = a; \
102 a = t1 + t2; \
103 } while (0)
104
105 /*
106 The SHA-256 core: Transform the message X which consists of 16
107 32-bit-words. See FIPS 180-2 for details.
108 */
109 static uint
110 sha256_transform(struct sha256_context *ctx, const byte *data)
111 {
112 static const u32 K[64] = {
113 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
114 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
115 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
116 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
117 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
118 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
119 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
120 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
121 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
122 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
123 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
124 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
125 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
126 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
127 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
128 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
129 };
130
131 u32 a,b,c,d,e,f,g,h,t1,t2;
132 u32 w[64];
133 int i;
134
135 a = ctx->h0;
136 b = ctx->h1;
137 c = ctx->h2;
138 d = ctx->h3;
139 e = ctx->h4;
140 f = ctx->h5;
141 g = ctx->h6;
142 h = ctx->h7;
143
144 for (i = 0; i < 16; i++)
145 w[i] = get_u32(data + i * 4);
146
147 for (; i < 64; i++)
148 w[i] = S1(w[i-2]) + w[i-7] + S0(w[i-15]) + w[i-16];
149
150 for (i = 0; i < 64;)
151 {
152 #ifndef SHA256_UNROLLED
153 R(a,b,c,d,e,f,g,h,K[i],w[i]);
154 i++;
155 #else /* Unrolled */
156 t1 = h + sum1(e) + f1(e, f, g) + K[i] + w[i];
157 t2 = sum0(a) + f3(a, b, c);
158 d += t1;
159 h = t1 + t2;
160
161 t1 = g + sum1(d) + f1(d, e, f) + K[i+1] + w[i+1];
162 t2 = sum0(h) + f3(h, a, b);
163 c += t1;
164 g = t1 + t2;
165
166 t1 = f + sum1(c) + f1(c, d, e) + K[i+2] + w[i+2];
167 t2 = sum0(g) + f3(g, h, a);
168 b += t1;
169 f = t1 + t2;
170
171 t1 = e + sum1(b) + f1(b, c, d) + K[i+3] + w[i+3];
172 t2 = sum0(f) + f3(f, g, h);
173 a += t1;
174 e = t1 + t2;
175
176 t1 = d + sum1(a) + f1(a, b, c) + K[i+4] + w[i+4];
177 t2 = sum0(e) + f3(e, f, g);
178 h += t1;
179 d = t1 + t2;
180
181 t1 = c + sum1(h) + f1(h, a, b) + K[i+5] + w[i+5];
182 t2 = sum0(d) + f3(d, e, f);
183 g += t1;
184 c = t1 + t2;
185
186 t1 = b + sum1(g) + f1(g, h, a) + K[i+6] + w[i+6];
187 t2 = sum0(c) + f3(c, d, e);
188 f += t1;
189 b = t1 + t2;
190
191 t1 = a + sum1(f) + f1(f, g, h) + K[i+7] + w[i+7];
192 t2 = sum0(b) + f3(b, c, d);
193 e += t1;
194 a = t1 + t2;
195
196 i += 8;
197 #endif
198 }
199
200 ctx->h0 += a;
201 ctx->h1 += b;
202 ctx->h2 += c;
203 ctx->h3 += d;
204 ctx->h4 += e;
205 ctx->h5 += f;
206 ctx->h6 += g;
207 ctx->h7 += h;
208
209 return /*burn_stack*/ 74*4+32;
210 }
211 #undef S0
212 #undef S1
213 #undef R
214
215 /* Common function to write a chunk of data to the transform function
216 of a hash algorithm. Note that the use of the term "block" does
217 not imply a fixed size block. Note that we explicitly allow to use
218 this function after the context has been finalized; the result does
219 not have any meaning but writing after finalize is sometimes
220 helpful to mitigate timing attacks. */
221 void
222 sha256_update(struct sha256_context *ctx, const byte *buf, size_t len)
223 {
224 if (ctx->count)
225 {
226 /* Fill rest of internal buffer */
227 for (; len && ctx->count < SHA256_BLOCK_SIZE; len--)
228 ctx->buf[ctx->count++] = *buf++;
229
230 if (ctx->count < SHA256_BLOCK_SIZE)
231 return;
232
233 /* Process data from internal buffer */
234 sha256_transform(ctx, ctx->buf);
235 ctx->nblocks++;
236 ctx->count = 0;
237 }
238
239 if (!len)
240 return;
241
242 /* Process data from input buffer */
243 while (len >= SHA256_BLOCK_SIZE)
244 {
245 sha256_transform(ctx, buf);
246 ctx->nblocks++;
247 buf += SHA256_BLOCK_SIZE;
248 len -= SHA256_BLOCK_SIZE;
249 }
250
251 /* Copy remaining data to internal buffer */
252 memcpy(ctx->buf, buf, len);
253 ctx->count = len;
254 }
255
256 /*
257 * The routine finally terminates the computation and returns the digest. The
258 * handle is prepared for a new cycle, but adding bytes to the handle will the
259 * destroy the returned buffer.
260 *
261 * Returns: 32 bytes with the message the digest. 28 bytes for SHA-224.
262 */
263 byte *
264 sha256_final(struct sha256_context *ctx)
265 {
266 u32 t, th, msb, lsb;
267
268 sha256_update(ctx, NULL, 0); /* flush */
269
270 t = ctx->nblocks;
271 th = 0;
272
273 /* multiply by 64 to make a byte count */
274 lsb = t << 6;
275 msb = (th << 6) | (t >> 26);
276 /* add the count */
277 t = lsb;
278 if ((lsb += ctx->count) < t)
279 msb++;
280 /* multiply by 8 to make a bit count */
281 t = lsb;
282 lsb <<= 3;
283 msb <<= 3;
284 msb |= t >> 29;
285
286 if (ctx->count < 56)
287 {
288 /* enough room */
289 ctx->buf[ctx->count++] = 0x80; /* pad */
290 while (ctx->count < 56)
291 ctx->buf[ctx->count++] = 0; /* pad */
292 }
293 else
294 {
295 /* need one extra block */
296 ctx->buf[ctx->count++] = 0x80; /* pad character */
297 while (ctx->count < 64)
298 ctx->buf[ctx->count++] = 0;
299 sha256_update(ctx, NULL, 0); /* flush */;
300 memset(ctx->buf, 0, 56 ); /* fill next block with zeroes */
301 }
302
303 /* append the 64 bit count */
304 put_u32(ctx->buf + 56, msb);
305 put_u32(ctx->buf + 60, lsb);
306 sha256_transform(ctx, ctx->buf);
307
308 byte *p = ctx->buf;
309 #define X(a) do { put_u32(p, ctx->h##a); p += 4; } while(0)
310 X(0);
311 X(1);
312 X(2);
313 X(3);
314 X(4);
315 X(5);
316 X(6);
317 X(7);
318 #undef X
319
320 return ctx->buf;
321 }
322
323
324 /*
325 * SHA256-HMAC
326 */
327
328 static void
329 sha256_hash_buffer(byte *outbuf, const byte *buffer, size_t length)
330 {
331 struct sha256_context ctx;
332
333 sha256_init(&ctx);
334 sha256_update(&ctx, buffer, length);
335 memcpy(outbuf, sha256_final(&ctx), SHA256_SIZE);
336 }
337
338 void
339 sha256_hmac_init(struct sha256_hmac_context *ctx, const byte *key, size_t keylen)
340 {
341 byte keybuf[SHA256_BLOCK_SIZE], buf[SHA256_BLOCK_SIZE];
342
343 /* Hash the key if necessary */
344 if (keylen <= SHA256_BLOCK_SIZE)
345 {
346 memcpy(keybuf, key, keylen);
347 memset(keybuf + keylen, 0, SHA256_BLOCK_SIZE - keylen);
348 }
349 else
350 {
351 sha256_hash_buffer(keybuf, key, keylen);
352 memset(keybuf + SHA256_SIZE, 0, SHA256_BLOCK_SIZE - SHA256_SIZE);
353 }
354
355 /* Initialize the inner digest */
356 sha256_init(&ctx->ictx);
357 int i;
358 for (i = 0; i < SHA256_BLOCK_SIZE; i++)
359 buf[i] = keybuf[i] ^ 0x36;
360 sha256_update(&ctx->ictx, buf, SHA256_BLOCK_SIZE);
361
362 /* Initialize the outer digest */
363 sha256_init(&ctx->octx);
364 for (i = 0; i < SHA256_BLOCK_SIZE; i++)
365 buf[i] = keybuf[i] ^ 0x5c;
366 sha256_update(&ctx->octx, buf, SHA256_BLOCK_SIZE);
367 }
368
369 void
370 sha256_hmac_update(struct sha256_hmac_context *ctx, const byte *buf, size_t buflen)
371 {
372 /* Just update the inner digest */
373 sha256_update(&ctx->ictx, buf, buflen);
374 }
375
376 byte *
377 sha256_hmac_final(struct sha256_hmac_context *ctx)
378 {
379 /* Finish the inner digest */
380 byte *isha = sha256_final(&ctx->ictx);
381
382 /* Finish the outer digest */
383 sha256_update(&ctx->octx, isha, SHA256_SIZE);
384 return sha256_final(&ctx->octx);
385 }
386
387
388 /*
389 * SHA224-HMAC
390 */
391
392 static void
393 sha224_hash_buffer(byte *outbuf, const byte *buffer, size_t length)
394 {
395 struct sha224_context ctx;
396
397 sha224_init(&ctx);
398 sha224_update(&ctx, buffer, length);
399 memcpy(outbuf, sha224_final(&ctx), SHA224_SIZE);
400 }
401
402 void
403 sha224_hmac_init(struct sha224_hmac_context *ctx, const byte *key, size_t keylen)
404 {
405 byte keybuf[SHA224_BLOCK_SIZE], buf[SHA224_BLOCK_SIZE];
406
407 /* Hash the key if necessary */
408 if (keylen <= SHA224_BLOCK_SIZE)
409 {
410 memcpy(keybuf, key, keylen);
411 memset(keybuf + keylen, 0, SHA224_BLOCK_SIZE - keylen);
412 }
413 else
414 {
415 sha224_hash_buffer(keybuf, key, keylen);
416 memset(keybuf + SHA224_SIZE, 0, SHA224_BLOCK_SIZE - SHA224_SIZE);
417 }
418
419 /* Initialize the inner digest */
420 sha224_init(&ctx->ictx);
421 int i;
422 for (i = 0; i < SHA224_BLOCK_SIZE; i++)
423 buf[i] = keybuf[i] ^ 0x36;
424 sha224_update(&ctx->ictx, buf, SHA224_BLOCK_SIZE);
425
426 /* Initialize the outer digest */
427 sha224_init(&ctx->octx);
428 for (i = 0; i < SHA224_BLOCK_SIZE; i++)
429 buf[i] = keybuf[i] ^ 0x5c;
430 sha224_update(&ctx->octx, buf, SHA224_BLOCK_SIZE);
431 }
432
433 void
434 sha224_hmac_update(struct sha224_hmac_context *ctx, const byte *buf, size_t buflen)
435 {
436 /* Just update the inner digest */
437 sha256_update(&ctx->ictx, buf, buflen);
438 }
439
440 byte *
441 sha224_hmac_final(struct sha224_hmac_context *ctx)
442 {
443 /* Finish the inner digest */
444 byte *isha = sha224_final(&ctx->ictx);
445
446 /* Finish the outer digest */
447 sha224_update(&ctx->octx, isha, SHA224_SIZE);
448 return sha224_final(&ctx->octx);
449 }
Mirror of https://gitlab.labs.nic.cz/labs/bird.git