]>
git.ipfire.org Git - thirdparty/bird.git/blob - lib/sha256.c
2 * BIRD Library -- SHA-256 and SHA-224 Hash Functions,
3 * HMAC-SHA-256 and HMAC-SHA-224 Functions
5 * (c) 2015 CZ.NIC z.s.p.o.
7 * Based on the code from libgcrypt-1.6.0, which is
8 * (c) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.
10 * Can be freely distributed and used under the terms of the GNU GPL.
13 #include "lib/sha256.h"
14 #include "lib/unaligned.h"
17 // #define SHA256_UNROLLED
20 sha256_init(struct sha256_context
*ctx
)
36 sha224_init(struct sha224_context
*ctx
)
51 /* (4.2) same as SHA-1's F1. */
53 f1(u32 x
, u32 y
, u32 z
)
55 return (z
^ (x
& (y
^ z
)));
58 /* (4.3) same as SHA-1's F3 */
60 f3(u32 x
, u32 y
, u32 z
)
62 return ((x
& y
) | (z
& (x
|y
)));
65 /* Bitwise rotation of an uint to the right */
66 static inline u32
ror(u32 x
, int n
)
68 return ((x
>> (n
&(32-1))) | (x
<< ((32-n
)&(32-1))));
75 return (ror(x
, 2) ^ ror(x
, 13) ^ ror(x
, 22));
82 return (ror(x
, 6) ^ ror(x
, 11) ^ ror(x
, 25));
86 Transform the message X which consists of 16 32-bit-words. See FIPS
88 #define S0(x) (ror((x), 7) ^ ror((x), 18) ^ ((x) >> 3)) /* (4.6) */
89 #define S1(x) (ror((x), 17) ^ ror((x), 19) ^ ((x) >> 10)) /* (4.7) */
90 #define R(a,b,c,d,e,f,g,h,k,w) \
93 t1 = (h) + sum1((e)) + f1((e),(f),(g)) + (k) + (w); \
94 t2 = sum0((a)) + f3((a),(b),(c)); \
106 The SHA-256 core: Transform the message X which consists of 16
107 32-bit-words. See FIPS 180-2 for details.
110 sha256_transform(struct sha256_context
*ctx
, const byte
*data
)
112 static const u32 K
[64] = {
113 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
114 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
115 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
116 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
117 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
118 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
119 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
120 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
121 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
122 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
123 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
124 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
125 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
126 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
127 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
128 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
131 u32 a
,b
,c
,d
,e
,f
,g
,h
,t1
,t2
;
144 for (i
= 0; i
< 16; i
++)
145 w
[i
] = get_u32(data
+ i
* 4);
148 w
[i
] = S1(w
[i
-2]) + w
[i
-7] + S0(w
[i
-15]) + w
[i
-16];
152 #ifndef SHA256_UNROLLED
153 R(a
,b
,c
,d
,e
,f
,g
,h
,K
[i
],w
[i
]);
156 t1
= h
+ sum1(e
) + f1(e
, f
, g
) + K
[i
] + w
[i
];
157 t2
= sum0(a
) + f3(a
, b
, c
);
161 t1
= g
+ sum1(d
) + f1(d
, e
, f
) + K
[i
+1] + w
[i
+1];
162 t2
= sum0(h
) + f3(h
, a
, b
);
166 t1
= f
+ sum1(c
) + f1(c
, d
, e
) + K
[i
+2] + w
[i
+2];
167 t2
= sum0(g
) + f3(g
, h
, a
);
171 t1
= e
+ sum1(b
) + f1(b
, c
, d
) + K
[i
+3] + w
[i
+3];
172 t2
= sum0(f
) + f3(f
, g
, h
);
176 t1
= d
+ sum1(a
) + f1(a
, b
, c
) + K
[i
+4] + w
[i
+4];
177 t2
= sum0(e
) + f3(e
, f
, g
);
181 t1
= c
+ sum1(h
) + f1(h
, a
, b
) + K
[i
+5] + w
[i
+5];
182 t2
= sum0(d
) + f3(d
, e
, f
);
186 t1
= b
+ sum1(g
) + f1(g
, h
, a
) + K
[i
+6] + w
[i
+6];
187 t2
= sum0(c
) + f3(c
, d
, e
);
191 t1
= a
+ sum1(f
) + f1(f
, g
, h
) + K
[i
+7] + w
[i
+7];
192 t2
= sum0(b
) + f3(b
, c
, d
);
209 return /*burn_stack*/ 74*4+32;
215 /* Common function to write a chunk of data to the transform function
216 of a hash algorithm. Note that the use of the term "block" does
217 not imply a fixed size block. Note that we explicitly allow to use
218 this function after the context has been finalized; the result does
219 not have any meaning but writing after finalize is sometimes
220 helpful to mitigate timing attacks. */
222 sha256_update(struct sha256_context
*ctx
, const byte
*buf
, size_t len
)
226 /* Fill rest of internal buffer */
227 for (; len
&& ctx
->count
< SHA256_BLOCK_SIZE
; len
--)
228 ctx
->buf
[ctx
->count
++] = *buf
++;
230 if (ctx
->count
< SHA256_BLOCK_SIZE
)
233 /* Process data from internal buffer */
234 sha256_transform(ctx
, ctx
->buf
);
242 /* Process data from input buffer */
243 while (len
>= SHA256_BLOCK_SIZE
)
245 sha256_transform(ctx
, buf
);
247 buf
+= SHA256_BLOCK_SIZE
;
248 len
-= SHA256_BLOCK_SIZE
;
251 /* Copy remaining data to internal buffer */
252 memcpy(ctx
->buf
, buf
, len
);
257 * The routine finally terminates the computation and returns the digest. The
258 * handle is prepared for a new cycle, but adding bytes to the handle will the
259 * destroy the returned buffer.
261 * Returns: 32 bytes with the message the digest. 28 bytes for SHA-224.
264 sha256_final(struct sha256_context
*ctx
)
268 sha256_update(ctx
, NULL
, 0); /* flush */
273 /* multiply by 64 to make a byte count */
275 msb
= (th
<< 6) | (t
>> 26);
278 if ((lsb
+= ctx
->count
) < t
)
280 /* multiply by 8 to make a bit count */
289 ctx
->buf
[ctx
->count
++] = 0x80; /* pad */
290 while (ctx
->count
< 56)
291 ctx
->buf
[ctx
->count
++] = 0; /* pad */
295 /* need one extra block */
296 ctx
->buf
[ctx
->count
++] = 0x80; /* pad character */
297 while (ctx
->count
< 64)
298 ctx
->buf
[ctx
->count
++] = 0;
299 sha256_update(ctx
, NULL
, 0); /* flush */;
300 memset(ctx
->buf
, 0, 56 ); /* fill next block with zeroes */
303 /* append the 64 bit count */
304 put_u32(ctx
->buf
+ 56, msb
);
305 put_u32(ctx
->buf
+ 60, lsb
);
306 sha256_transform(ctx
, ctx
->buf
);
309 #define X(a) do { put_u32(p, ctx->h##a); p += 4; } while(0)
329 sha256_hash_buffer(byte
*outbuf
, const byte
*buffer
, size_t length
)
331 struct sha256_context ctx
;
334 sha256_update(&ctx
, buffer
, length
);
335 memcpy(outbuf
, sha256_final(&ctx
), SHA256_SIZE
);
339 sha256_hmac_init(struct sha256_hmac_context
*ctx
, const byte
*key
, size_t keylen
)
341 byte keybuf
[SHA256_BLOCK_SIZE
], buf
[SHA256_BLOCK_SIZE
];
343 /* Hash the key if necessary */
344 if (keylen
<= SHA256_BLOCK_SIZE
)
346 memcpy(keybuf
, key
, keylen
);
347 memset(keybuf
+ keylen
, 0, SHA256_BLOCK_SIZE
- keylen
);
351 sha256_hash_buffer(keybuf
, key
, keylen
);
352 memset(keybuf
+ SHA256_SIZE
, 0, SHA256_BLOCK_SIZE
- SHA256_SIZE
);
355 /* Initialize the inner digest */
356 sha256_init(&ctx
->ictx
);
358 for (i
= 0; i
< SHA256_BLOCK_SIZE
; i
++)
359 buf
[i
] = keybuf
[i
] ^ 0x36;
360 sha256_update(&ctx
->ictx
, buf
, SHA256_BLOCK_SIZE
);
362 /* Initialize the outer digest */
363 sha256_init(&ctx
->octx
);
364 for (i
= 0; i
< SHA256_BLOCK_SIZE
; i
++)
365 buf
[i
] = keybuf
[i
] ^ 0x5c;
366 sha256_update(&ctx
->octx
, buf
, SHA256_BLOCK_SIZE
);
370 sha256_hmac_update(struct sha256_hmac_context
*ctx
, const byte
*buf
, size_t buflen
)
372 /* Just update the inner digest */
373 sha256_update(&ctx
->ictx
, buf
, buflen
);
377 sha256_hmac_final(struct sha256_hmac_context
*ctx
)
379 /* Finish the inner digest */
380 byte
*isha
= sha256_final(&ctx
->ictx
);
382 /* Finish the outer digest */
383 sha256_update(&ctx
->octx
, isha
, SHA256_SIZE
);
384 return sha256_final(&ctx
->octx
);
393 sha224_hash_buffer(byte
*outbuf
, const byte
*buffer
, size_t length
)
395 struct sha224_context ctx
;
398 sha224_update(&ctx
, buffer
, length
);
399 memcpy(outbuf
, sha224_final(&ctx
), SHA224_SIZE
);
403 sha224_hmac_init(struct sha224_hmac_context
*ctx
, const byte
*key
, size_t keylen
)
405 byte keybuf
[SHA224_BLOCK_SIZE
], buf
[SHA224_BLOCK_SIZE
];
407 /* Hash the key if necessary */
408 if (keylen
<= SHA224_BLOCK_SIZE
)
410 memcpy(keybuf
, key
, keylen
);
411 memset(keybuf
+ keylen
, 0, SHA224_BLOCK_SIZE
- keylen
);
415 sha224_hash_buffer(keybuf
, key
, keylen
);
416 memset(keybuf
+ SHA224_SIZE
, 0, SHA224_BLOCK_SIZE
- SHA224_SIZE
);
419 /* Initialize the inner digest */
420 sha224_init(&ctx
->ictx
);
422 for (i
= 0; i
< SHA224_BLOCK_SIZE
; i
++)
423 buf
[i
] = keybuf
[i
] ^ 0x36;
424 sha224_update(&ctx
->ictx
, buf
, SHA224_BLOCK_SIZE
);
426 /* Initialize the outer digest */
427 sha224_init(&ctx
->octx
);
428 for (i
= 0; i
< SHA224_BLOCK_SIZE
; i
++)
429 buf
[i
] = keybuf
[i
] ^ 0x5c;
430 sha224_update(&ctx
->octx
, buf
, SHA224_BLOCK_SIZE
);
434 sha224_hmac_update(struct sha224_hmac_context
*ctx
, const byte
*buf
, size_t buflen
)
436 /* Just update the inner digest */
437 sha256_update(&ctx
->ictx
, buf
, buflen
);
441 sha224_hmac_final(struct sha224_hmac_context
*ctx
)
443 /* Finish the inner digest */
444 byte
*isha
= sha224_final(&ctx
->ictx
);
446 /* Finish the outer digest */
447 sha224_update(&ctx
->octx
, isha
, SHA224_SIZE
);
448 return sha224_final(&ctx
->octx
);