Revision 4035e0e7

View differences:

lib/Modules
1
sha256.c
2
sha256.h
1 3
sha1.c
2 4
sha1.h
3 5
birdlib.h
lib/sha256.c
1
/*
2
 *	BIRD Library -- SHA-256 and SHA-224 Hash Functions,
3
 *			HMAC-SHA-256 and HMAC-SHA-224 Functions
4
 *
5
 *	(c) 2015 CZ.NIC z.s.p.o.
6
 *
7
 *	Based on the code from libgcrypt-1.6.0, which is
8
 *	(c) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.
9
 *
10
 *	Can be freely distributed and used under the terms of the GNU GPL.
11
 */
12

  
13
#include "lib/sha256.h"
14
#include "lib/unaligned.h"
15

  
16
static uint sha256_transform(void *ctx, const byte *data, size_t nblks);
17

  
18
void
19
sha256_init(struct sha256_context *ctx)
20
{
21
  ctx->h0 = 0x6a09e667;
22
  ctx->h1 = 0xbb67ae85;
23
  ctx->h2 = 0x3c6ef372;
24
  ctx->h3 = 0xa54ff53a;
25
  ctx->h4 = 0x510e527f;
26
  ctx->h5 = 0x9b05688c;
27
  ctx->h6 = 0x1f83d9ab;
28
  ctx->h7 = 0x5be0cd19;
29

  
30
  ctx->nblocks = 0;
31
  ctx->nblocks_high = 0;
32
  ctx->count = 0;
33
  ctx->blocksize = 64;
34
  ctx->transform = sha256_transform;
35
}
36

  
37
void
38
sha224_init(struct sha224_context *ctx)
39
{
40
  ctx->h0 = 0xc1059ed8;
41
  ctx->h1 = 0x367cd507;
42
  ctx->h2 = 0x3070dd17;
43
  ctx->h3 = 0xf70e5939;
44
  ctx->h4 = 0xffc00b31;
45
  ctx->h5 = 0x68581511;
46
  ctx->h6 = 0x64f98fa7;
47
  ctx->h7 = 0xbefa4fa4;
48

  
49
  ctx->nblocks = 0;
50
  ctx->nblocks_high = 0;
51
  ctx->count = 0;
52
  ctx->blocksize = 64;
53
  ctx->transform = sha256_transform;
54
}
55

  
56
/* (4.2) same as SHA-1's F1.  */
57
static inline u32
58
f1(u32 x, u32 y, u32 z)
59
{
60
  return (z ^ (x & (y ^ z)));
61
}
62

  
63
/* (4.3) same as SHA-1's F3 */
64
static inline u32
65
f3(u32 x, u32 y, u32 z)
66
{
67
  return ((x & y) | (z & (x|y)));
68
}
69

  
70
/* Bitwise rotation of an uint to the right */
71
static inline u32 ror(u32 x, int n)
72
{
73
  return ( (x >> (n&(32-1))) | (x << ((32-n)&(32-1))) );
74
}
75

  
76
/* (4.4) */
77
static inline u32
78
sum0(u32 x)
79
{
80
  return (ror(x, 2) ^ ror(x, 13) ^ ror(x, 22));
81
}
82

  
83
/* (4.5) */
84
static inline u32
85
sum1(u32 x)
86
{
87
  return (ror(x, 6) ^ ror(x, 11) ^ ror(x, 25));
88
}
89

  
90
/*
91
  Transform the message X which consists of 16 32-bit-words. See FIPS
92
  180-2 for details.  */
93
#define S0(x) (ror((x),  7) ^ ror((x), 18) ^ ((x) >>  3))	/* (4.6) */
94
#define S1(x) (ror((x), 17) ^ ror((x), 19) ^ ((x) >> 10))	/* (4.7) */
95
#define R(a,b,c,d,e,f,g,h,k,w)					\
96
    do								\
97
    {								\
98
      t1 = (h) + sum1((e)) + f1((e),(f),(g)) + (k) + (w);	\
99
      t2 = sum0((a)) + f3((a),(b),(c));				\
100
      h = g;							\
101
      g = f;							\
102
      f = e;							\
103
      e = d + t1;						\
104
      d = c;							\
105
      c = b;							\
106
      b = a;							\
107
      a = t1 + t2;						\
108
    } while (0)
109

  
110
/*
111
    The SHA-256 core: Transform the message X which consists of 16
112
    32-bit-words. See FIPS 180-2 for details.
113
 */
114
static uint
115
sha256_transform_block(struct sha256_context *ctx, const byte *data)
116
{
117
  static const u32 K[64] = {
118
      0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
119
      0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
120
      0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
121
      0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
122
      0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
123
      0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
124
      0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
125
      0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
126
      0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
127
      0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
128
      0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
129
      0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
130
      0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
131
      0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
132
      0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
133
      0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
134
  };
135

  
136
  u32 a,b,c,d,e,f,g,h,t1,t2;
137
  u32 w[64];
138
  int i;
139

  
140
  a = ctx->h0;
141
  b = ctx->h1;
142
  c = ctx->h2;
143
  d = ctx->h3;
144
  e = ctx->h4;
145
  f = ctx->h5;
146
  g = ctx->h6;
147
  h = ctx->h7;
148

  
149
  for (i = 0; i < 16; i++)
150
    w[i] = get_u32(data + i * 4);
151
  for (; i < 64; i++)
152
    w[i] = S1(w[i-2]) + w[i-7] + S0(w[i-15]) + w[i-16];
153

  
154
  for (i = 0; i < 64;)
155
  {
156
    t1 = h + sum1(e) + f1(e, f, g) + K[i] + w[i];
157
    t2 = sum0 (a) + f3(a, b, c);
158
    d += t1;
159
    h  = t1 + t2;
160

  
161
    t1 = g + sum1(d) + f1(d, e, f) + K[i+1] + w[i+1];
162
    t2 = sum0 (h) + f3(h, a, b);
163
    c += t1;
164
    g  = t1 + t2;
165

  
166
    t1 = f + sum1(c) + f1(c, d, e) + K[i+2] + w[i+2];
167
    t2 = sum0 (g) + f3(g, h, a);
168
    b += t1;
169
    f  = t1 + t2;
170

  
171
    t1 = e + sum1(b) + f1(b, c, d) + K[i+3] + w[i+3];
172
    t2 = sum0 (f) + f3(f, g, h);
173
    a += t1;
174
    e  = t1 + t2;
175

  
176
    t1 = d + sum1(a) + f1(a, b, c) + K[i+4] + w[i+4];
177
    t2 = sum0 (e) + f3(e, f, g);
178
    h += t1;
179
    d  = t1 + t2;
180

  
181
    t1 = c + sum1(h) + f1(h, a, b) + K[i+5] + w[i+5];
182
    t2 = sum0 (d) + f3(d, e, f);
183
    g += t1;
184
    c  = t1 + t2;
185

  
186
    t1 = b + sum1(g) + f1(g, h, a) + K[i+6] + w[i+6];
187
    t2 = sum0 (c) + f3(c, d, e);
188
    f += t1;
189
    b  = t1 + t2;
190

  
191
    t1 = a + sum1(f) + f1(f, g, h) + K[i+7] + w[i+7];
192
    t2 = sum0 (b) + f3(b, c, d);
193
    e += t1;
194
    a  = t1 + t2;
195

  
196
    i += 8;
197
  }
198

  
199
  ctx->h0 += a;
200
  ctx->h1 += b;
201
  ctx->h2 += c;
202
  ctx->h3 += d;
203
  ctx->h4 += e;
204
  ctx->h5 += f;
205
  ctx->h6 += g;
206
  ctx->h7 += h;
207

  
208
  return /*burn_stack*/ 74*4+32;
209
}
210
#undef S0
211
#undef S1
212
#undef R
213

  
214
static uint
215
sha256_transform(void *ctx, const byte *data, size_t nblks)
216
{
217
  struct sha256_context *hd = ctx;
218
  uint burn;
219

  
220
  do
221
  {
222
    burn = sha256_transform_block(hd, data);
223
    data += 64;
224
  }
225
  while (--nblks);
226

  
227
  return burn;
228
}
229

  
230
/* Common function to write a chunk of data to the transform function
231
   of a hash algorithm.  Note that the use of the term "block" does
232
   not imply a fixed size block.  Note that we explicitly allow to use
233
   this function after the context has been finalized; the result does
234
   not have any meaning but writing after finalize is sometimes
235
   helpful to mitigate timing attacks. */
236
void
237
sha256_update(struct sha256_context *ctx, const byte *in_buf, size_t in_len)
238
{
239
  const uint blocksize = ctx->blocksize;
240
  size_t inblocks;
241

  
242
  if (sizeof(ctx->buf) < blocksize)
243
    debug("BUG: in file %s at line %d", __FILE__ , __LINE__);
244

  
245
  if (ctx->count == blocksize)  /* Flush the buffer. */
246
  {
247
    ctx->transform(ctx, ctx->buf, 1);
248
    ctx->count = 0;
249
    if (!++ctx->nblocks)
250
      ctx->nblocks_high++;
251
  }
252
  if (!in_buf)
253
    return;
254

  
255
  if (ctx->count)
256
  {
257
    for (; in_len && ctx->count < blocksize; in_len--)
258
      ctx->buf[ctx->count++] = *in_buf++;
259
    sha256_update(ctx, NULL, 0);
260
    if (!in_len)
261
      return;
262
  }
263

  
264
  if (in_len >= blocksize)
265
  {
266
    inblocks = in_len / blocksize;
267
    ctx->transform(ctx, in_buf, inblocks);
268
    ctx->count = 0;
269
    ctx->nblocks_high += (ctx->nblocks + inblocks < inblocks);
270
    ctx->nblocks += inblocks;
271
    in_len -= inblocks * blocksize;
272
    in_buf += inblocks * blocksize;
273
  }
274
  for (; in_len && ctx->count < blocksize; in_len--)
275
    ctx->buf[ctx->count++] = *in_buf++;
276
}
277

  
278
/*
279
   The routine finally terminates the computation and returns the
280
   digest.  The handle is prepared for a new cycle, but adding bytes
281
   to the handle will the destroy the returned buffer.  Returns: 32
282
   bytes with the message the digest.  */
283
byte*
284
sha256_final(struct sha256_context *ctx)
285
{
286
  u32 t, th, msb, lsb;
287
  byte *p;
288

  
289
  sha256_update(ctx, NULL, 0); /* flush */;
290

  
291
  t = ctx->nblocks;
292
  if (sizeof t == sizeof ctx->nblocks)
293
    th = ctx->nblocks_high;
294
  else
295
    th = 0;
296

  
297
  /* multiply by 64 to make a byte count */
298
  lsb = t << 6;
299
  msb = (th << 6) | (t >> 26);
300
  /* add the count */
301
  t = lsb;
302
  if ((lsb += ctx->count) < t)
303
    msb++;
304
  /* multiply by 8 to make a bit count */
305
  t = lsb;
306
  lsb <<= 3;
307
  msb <<= 3;
308
  msb |= t >> 29;
309

  
310
  if (ctx->count < 56)
311
  { /* enough room */
312
    ctx->buf[ctx->count++] = 0x80; /* pad */
313
    while (ctx->count < 56)
314
      ctx->buf[ctx->count++] = 0;  /* pad */
315
  }
316
  else
317
  { /* need one extra block */
318
    ctx->buf[ctx->count++] = 0x80; /* pad character */
319
    while (ctx->count < 64)
320
      ctx->buf[ctx->count++] = 0;
321
    sha256_update(ctx, NULL, 0);  /* flush */;
322
    memset (ctx->buf, 0, 56 ); /* fill next block with zeroes */
323
  }
324
  /* append the 64 bit count */
325
  put_u32(ctx->buf + 56, msb);
326
  put_u32(ctx->buf + 60, lsb);
327
  sha256_transform(ctx, ctx->buf, 1);
328

  
329
  p = ctx->buf;
330

  
331
#define X(a) do { put_u32(p, ctx->h##a); p += 4; } while(0)
332
  X(0);
333
  X(1);
334
  X(2);
335
  X(3);
336
  X(4);
337
  X(5);
338
  X(6);
339
  X(7);
340
#undef X
341

  
342
  return ctx->buf;
343
}
344

  
345

  
346
/*
347
 * 	SHA256-HMAC
348
 */
349

  
350
static void
351
sha256_hash_buffer(byte *outbuf, const byte *buffer, size_t length)
352
{
353
  struct sha256_context hd_tmp;
354

  
355
  sha256_init(&hd_tmp);
356
  sha256_update(&hd_tmp, buffer, length);
357
  memcpy(outbuf, sha256_final(&hd_tmp), SHA256_SIZE);
358
}
359

  
360
void
361
sha256_hmac_init(struct sha256_hmac_context *ctx, const byte *key, size_t keylen)
362
{
363
  byte keybuf[SHA256_BLOCK_SIZE], buf[SHA256_BLOCK_SIZE];
364

  
365
  /* Hash the key if necessary */
366
  if (keylen <= SHA256_BLOCK_SIZE)
367
  {
368
    memcpy(keybuf, key, keylen);
369
    bzero(keybuf + keylen, SHA256_BLOCK_SIZE - keylen);
370
  }
371
  else
372
  {
373
    sha256_hash_buffer(keybuf, key, keylen);
374
    bzero(keybuf + SHA256_SIZE, SHA256_BLOCK_SIZE - SHA256_SIZE);
375
  }
376

  
377
  /* Initialize the inner digest */
378
  sha256_init(&ctx->ictx);
379
  int i;
380
  for (i = 0; i < SHA256_BLOCK_SIZE; i++)
381
    buf[i] = keybuf[i] ^ 0x36;
382
  sha256_update(&ctx->ictx, buf, SHA256_BLOCK_SIZE);
383

  
384
  /* Initialize the outer digest */
385
  sha256_init(&ctx->octx);
386
  for (i = 0; i < SHA256_BLOCK_SIZE; i++)
387
    buf[i] = keybuf[i] ^ 0x5c;
388
  sha256_update(&ctx->octx, buf, SHA256_BLOCK_SIZE);
389
}
390

  
391
void sha256_hmac_update(struct sha256_hmac_context *ctx, const byte *buf, size_t buflen)
392
{
393
  /* Just update the inner digest */
394
  sha256_update(&ctx->ictx, buf, buflen);
395
}
396

  
397
byte *sha256_hmac_final(struct sha256_hmac_context *ctx)
398
{
399
  /* Finish the inner digest */
400
  byte *isha = sha256_final(&ctx->ictx);
401

  
402
  /* Finish the outer digest */
403
  sha256_update(&ctx->octx, isha, SHA256_SIZE);
404
  return sha256_final(&ctx->octx);
405
}
406

  
407

  
408
/*
409
 * 	SHA224-HMAC
410
 */
411

  
412
static void
413
sha224_hash_buffer(byte *outbuf, const byte *buffer, size_t length)
414
{
415
  struct sha224_context hd_tmp;
416

  
417
  sha224_init(&hd_tmp);
418
  sha224_update(&hd_tmp, buffer, length);
419
  memcpy(outbuf, sha224_final(&hd_tmp), SHA224_SIZE);
420
}
421

  
422
void
423
sha224_hmac_init(struct sha224_hmac_context *ctx, const byte *key, size_t keylen)
424
{
425
  byte keybuf[SHA224_BLOCK_SIZE], buf[SHA224_BLOCK_SIZE];
426

  
427
  /* Hash the key if necessary */
428
  if (keylen <= SHA224_BLOCK_SIZE)
429
  {
430
    memcpy(keybuf, key, keylen);
431
    bzero(keybuf + keylen, SHA224_BLOCK_SIZE - keylen);
432
  }
433
  else
434
  {
435
    sha224_hash_buffer(keybuf, key, keylen);
436
    bzero(keybuf + SHA224_SIZE, SHA224_BLOCK_SIZE - SHA224_SIZE);
437
  }
438

  
439
  /* Initialize the inner digest */
440
  sha224_init(&ctx->ictx);
441
  int i;
442
  for (i = 0; i < SHA224_BLOCK_SIZE; i++)
443
    buf[i] = keybuf[i] ^ 0x36;
444
  sha224_update(&ctx->ictx, buf, SHA224_BLOCK_SIZE);
445

  
446
  /* Initialize the outer digest */
447
  sha224_init(&ctx->octx);
448
  for (i = 0; i < SHA224_BLOCK_SIZE; i++)
449
    buf[i] = keybuf[i] ^ 0x5c;
450
  sha224_update(&ctx->octx, buf, SHA224_BLOCK_SIZE);
451
}
452

  
453
void sha224_hmac_update(struct sha224_hmac_context *ctx, const byte *buf, size_t buflen)
454
{
455
  /* Just update the inner digest */
456
  sha256_update(&ctx->ictx, buf, buflen);
457
}
458

  
459
byte *sha224_hmac_final(struct sha224_hmac_context *ctx)
460
{
461
  /* Finish the inner digest */
462
  byte *isha = sha224_final(&ctx->ictx);
463

  
464
  /* Finish the outer digest */
465
  sha224_update(&ctx->octx, isha, SHA224_SIZE);
466
  return sha224_final(&ctx->octx);
467
}
lib/sha256.h
1
/*
2
 *	BIRD Library -- SHA-256 and SHA-224 Hash Functions,
3
 *			HMAC-SHA-256 and HMAC-SHA-224 Functions
4
 *
5
 *	(c) 2015 CZ.NIC z.s.p.o.
6
 *
7
 *	Based on the code from libgcrypt-1.6.0, which is
8
 *	(c) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.
9
 *
10
 *	Can be freely distributed and used under the terms of the GNU GPL.
11
 */
12

  
13
#ifndef _BIRD_SHA256_H_
14
#define _BIRD_SHA256_H_
15

  
16
#include "nest/bird.h"
17

  
18
#define SHA224_SIZE 		28
19
#define SHA224_HEX_SIZE		57
20
#define SHA224_BLOCK_SIZE 	64
21

  
22
#define SHA256_SIZE 		32
23
#define SHA256_HEX_SIZE		65
24
#define SHA256_BLOCK_SIZE 	64
25

  
26
struct sha256_context {
27
  u32  h0,h1,h2,h3,h4,h5,h6,h7;
28
  byte buf[128];			/* 128 is for SHA384 and SHA512 support, otherwise for SHA224 and SHA256 is 64 enough */
29
  u32 nblocks;
30
  u32 nblocks_high;
31
  int count;
32
  u32 blocksize;
33
  uint (*transform)(void *c, const byte *blks, size_t nblks);
34
};
35
#define sha224_context sha256_context	/* aliasing 'struct sha224_context' to 'struct sha256_context' */
36

  
37
void sha256_init(struct sha256_context *ctx);
38
void sha224_init(struct sha224_context *ctx);
39

  
40
void sha256_update(struct sha256_context *ctx, const byte *in_buf, size_t in_len);
41
static inline void sha224_update(struct sha224_context *ctx, const byte *in_buf, size_t in_len)
42
{
43
  sha256_update(ctx, in_buf, in_len);
44
}
45

  
46
byte* sha256_final(struct sha256_context *ctx);
47
static inline byte* sha224_final(struct sha224_context *ctx)
48
{
49
  return sha256_final(ctx);
50
}
51

  
52
/*
53
 *	HMAC-SHA256, HMAC-SHA224
54
 */
55
struct sha256_hmac_context
56
{
57
  struct sha256_context ictx;
58
  struct sha256_context octx;
59
};
60
#define sha224_hmac_context sha256_hmac_context	/* aliasing 'struct sha224_hmac_context' to 'struct sha256_hmac_context' */
61

  
62
void sha256_hmac_init(struct sha256_hmac_context *ctx, const byte *key, size_t keylen);
63
void sha224_hmac_init(struct sha224_hmac_context *ctx, const byte *key,  size_t keylen);
64

  
65
void sha256_hmac_update(struct sha256_hmac_context *ctx, const byte *buf, size_t buflen);
66
void sha224_hmac_update(struct sha224_hmac_context *ctx, const byte *buf, size_t buflen);
67

  
68
byte *sha256_hmac_final(struct sha256_hmac_context *ctx);
69
byte *sha224_hmac_final(struct sha224_hmac_context *ctx);
70

  
71
#endif /* _BIRD_SHA256_H_ */

Also available in: Unified diff