iofbirddaemon / lib / sha256.c @ 4035e0e7
History  View  Annotate  Download (10.9 KB)
1 
/*


2 
* BIRD Library  SHA256 and SHA224 Hash Functions,

3 
* HMACSHA256 and HMACSHA224 Functions

4 
*

5 
* (c) 2015 CZ.NIC z.s.p.o.

6 
*

7 
* Based on the code from libgcrypt1.6.0, which is

8 
* (c) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.

9 
*

10 
* Can be freely distributed and used under the terms of the GNU GPL.

11 
*/

12  
13 
#include "lib/sha256.h" 
14 
#include "lib/unaligned.h" 
15  
16 
static uint sha256_transform(void *ctx, const byte *data, size_t nblks); 
17  
18 
void

19 
sha256_init(struct sha256_context *ctx)

20 
{ 
21 
ctx>h0 = 0x6a09e667;

22 
ctx>h1 = 0xbb67ae85;

23 
ctx>h2 = 0x3c6ef372;

24 
ctx>h3 = 0xa54ff53a;

25 
ctx>h4 = 0x510e527f;

26 
ctx>h5 = 0x9b05688c;

27 
ctx>h6 = 0x1f83d9ab;

28 
ctx>h7 = 0x5be0cd19;

29  
30 
ctx>nblocks = 0;

31 
ctx>nblocks_high = 0;

32 
ctx>count = 0;

33 
ctx>blocksize = 64;

34 
ctx>transform = sha256_transform; 
35 
} 
36  
37 
void

38 
sha224_init(struct sha224_context *ctx)

39 
{ 
40 
ctx>h0 = 0xc1059ed8;

41 
ctx>h1 = 0x367cd507;

42 
ctx>h2 = 0x3070dd17;

43 
ctx>h3 = 0xf70e5939;

44 
ctx>h4 = 0xffc00b31;

45 
ctx>h5 = 0x68581511;

46 
ctx>h6 = 0x64f98fa7;

47 
ctx>h7 = 0xbefa4fa4;

48  
49 
ctx>nblocks = 0;

50 
ctx>nblocks_high = 0;

51 
ctx>count = 0;

52 
ctx>blocksize = 64;

53 
ctx>transform = sha256_transform; 
54 
} 
55  
56 
/* (4.2) same as SHA1's F1. */

57 
static inline u32 
58 
f1(u32 x, u32 y, u32 z) 
59 
{ 
60 
return (z ^ (x & (y ^ z)));

61 
} 
62  
63 
/* (4.3) same as SHA1's F3 */

64 
static inline u32 
65 
f3(u32 x, u32 y, u32 z) 
66 
{ 
67 
return ((x & y)  (z & (xy)));

68 
} 
69  
70 
/* Bitwise rotation of an uint to the right */

71 
static inline u32 ror(u32 x, int n) 
72 
{ 
73 
return ( (x >> (n&(321)))  (x << ((32n)&(321))) ); 
74 
} 
75  
76 
/* (4.4) */

77 
static inline u32 
78 
sum0(u32 x) 
79 
{ 
80 
return (ror(x, 2) ^ ror(x, 13) ^ ror(x, 22)); 
81 
} 
82  
83 
/* (4.5) */

84 
static inline u32 
85 
sum1(u32 x) 
86 
{ 
87 
return (ror(x, 6) ^ ror(x, 11) ^ ror(x, 25)); 
88 
} 
89  
90 
/*

91 
Transform the message X which consists of 16 32bitwords. See FIPS

92 
1802 for details. */

93 
#define S0(x) (ror((x), 7) ^ ror((x), 18) ^ ((x) >> 3)) /* (4.6) */ 
94 
#define S1(x) (ror((x), 17) ^ ror((x), 19) ^ ((x) >> 10)) /* (4.7) */ 
95 
#define R(a,b,c,d,e,f,g,h,k,w) \

96 
do \

97 
{ \ 
98 
t1 = (h) + sum1((e)) + f1((e),(f),(g)) + (k) + (w); \ 
99 
t2 = sum0((a)) + f3((a),(b),(c)); \ 
100 
h = g; \ 
101 
g = f; \ 
102 
f = e; \ 
103 
e = d + t1; \ 
104 
d = c; \ 
105 
c = b; \ 
106 
b = a; \ 
107 
a = t1 + t2; \ 
108 
} while (0) 
109  
110 
/*

111 
The SHA256 core: Transform the message X which consists of 16

112 
32bitwords. See FIPS 1802 for details.

113 
*/

114 
static uint

115 
sha256_transform_block(struct sha256_context *ctx, const byte *data) 
116 
{ 
117 
static const u32 K[64] = { 
118 
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 
119 
0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 
120 
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 
121 
0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 
122 
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 
123 
0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 
124 
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 
125 
0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 
126 
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 
127 
0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 
128 
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 
129 
0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 
130 
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 
131 
0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 
132 
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 
133 
0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 
134 
}; 
135  
136 
u32 a,b,c,d,e,f,g,h,t1,t2; 
137 
u32 w[64];

138 
int i;

139  
140 
a = ctx>h0; 
141 
b = ctx>h1; 
142 
c = ctx>h2; 
143 
d = ctx>h3; 
144 
e = ctx>h4; 
145 
f = ctx>h5; 
146 
g = ctx>h6; 
147 
h = ctx>h7; 
148  
149 
for (i = 0; i < 16; i++) 
150 
w[i] = get_u32(data + i * 4);

151 
for (; i < 64; i++) 
152 
w[i] = S1(w[i2]) + w[i7] + S0(w[i15]) + w[i16]; 
153  
154 
for (i = 0; i < 64;) 
155 
{ 
156 
t1 = h + sum1(e) + f1(e, f, g) + K[i] + w[i]; 
157 
t2 = sum0 (a) + f3(a, b, c); 
158 
d += t1; 
159 
h = t1 + t2; 
160  
161 
t1 = g + sum1(d) + f1(d, e, f) + K[i+1] + w[i+1]; 
162 
t2 = sum0 (h) + f3(h, a, b); 
163 
c += t1; 
164 
g = t1 + t2; 
165  
166 
t1 = f + sum1(c) + f1(c, d, e) + K[i+2] + w[i+2]; 
167 
t2 = sum0 (g) + f3(g, h, a); 
168 
b += t1; 
169 
f = t1 + t2; 
170  
171 
t1 = e + sum1(b) + f1(b, c, d) + K[i+3] + w[i+3]; 
172 
t2 = sum0 (f) + f3(f, g, h); 
173 
a += t1; 
174 
e = t1 + t2; 
175  
176 
t1 = d + sum1(a) + f1(a, b, c) + K[i+4] + w[i+4]; 
177 
t2 = sum0 (e) + f3(e, f, g); 
178 
h += t1; 
179 
d = t1 + t2; 
180  
181 
t1 = c + sum1(h) + f1(h, a, b) + K[i+5] + w[i+5]; 
182 
t2 = sum0 (d) + f3(d, e, f); 
183 
g += t1; 
184 
c = t1 + t2; 
185  
186 
t1 = b + sum1(g) + f1(g, h, a) + K[i+6] + w[i+6]; 
187 
t2 = sum0 (c) + f3(c, d, e); 
188 
f += t1; 
189 
b = t1 + t2; 
190  
191 
t1 = a + sum1(f) + f1(f, g, h) + K[i+7] + w[i+7]; 
192 
t2 = sum0 (b) + f3(b, c, d); 
193 
e += t1; 
194 
a = t1 + t2; 
195  
196 
i += 8;

197 
} 
198  
199 
ctx>h0 += a; 
200 
ctx>h1 += b; 
201 
ctx>h2 += c; 
202 
ctx>h3 += d; 
203 
ctx>h4 += e; 
204 
ctx>h5 += f; 
205 
ctx>h6 += g; 
206 
ctx>h7 += h; 
207  
208 
return /*burn_stack*/ 74*4+32; 
209 
} 
210 
#undef S0

211 
#undef S1

212 
#undef R

213  
214 
static uint

215 
sha256_transform(void *ctx, const byte *data, size_t nblks) 
216 
{ 
217 
struct sha256_context *hd = ctx;

218 
uint burn; 
219  
220 
do

221 
{ 
222 
burn = sha256_transform_block(hd, data); 
223 
data += 64;

224 
} 
225 
while (nblks);

226  
227 
return burn;

228 
} 
229  
230 
/* Common function to write a chunk of data to the transform function

231 
of a hash algorithm. Note that the use of the term "block" does

232 
not imply a fixed size block. Note that we explicitly allow to use

233 
this function after the context has been finalized; the result does

234 
not have any meaning but writing after finalize is sometimes

235 
helpful to mitigate timing attacks. */

236 
void

237 
sha256_update(struct sha256_context *ctx, const byte *in_buf, size_t in_len) 
238 
{ 
239 
const uint blocksize = ctx>blocksize;

240 
size_t inblocks; 
241  
242 
if (sizeof(ctx>buf) < blocksize) 
243 
debug("BUG: in file %s at line %d", __FILE__ , __LINE__);

244  
245 
if (ctx>count == blocksize) /* Flush the buffer. */ 
246 
{ 
247 
ctx>transform(ctx, ctx>buf, 1);

248 
ctx>count = 0;

249 
if (!++ctx>nblocks)

250 
ctx>nblocks_high++; 
251 
} 
252 
if (!in_buf)

253 
return;

254  
255 
if (ctx>count)

256 
{ 
257 
for (; in_len && ctx>count < blocksize; in_len)

258 
ctx>buf[ctx>count++] = *in_buf++; 
259 
sha256_update(ctx, NULL, 0); 
260 
if (!in_len)

261 
return;

262 
} 
263  
264 
if (in_len >= blocksize)

265 
{ 
266 
inblocks = in_len / blocksize; 
267 
ctx>transform(ctx, in_buf, inblocks); 
268 
ctx>count = 0;

269 
ctx>nblocks_high += (ctx>nblocks + inblocks < inblocks); 
270 
ctx>nblocks += inblocks; 
271 
in_len = inblocks * blocksize; 
272 
in_buf += inblocks * blocksize; 
273 
} 
274 
for (; in_len && ctx>count < blocksize; in_len)

275 
ctx>buf[ctx>count++] = *in_buf++; 
276 
} 
277  
278 
/*

279 
The routine finally terminates the computation and returns the

280 
digest. The handle is prepared for a new cycle, but adding bytes

281 
to the handle will the destroy the returned buffer. Returns: 32

282 
bytes with the message the digest. */

283 
byte* 
284 
sha256_final(struct sha256_context *ctx)

285 
{ 
286 
u32 t, th, msb, lsb; 
287 
byte *p; 
288  
289 
sha256_update(ctx, NULL, 0); /* flush */; 
290  
291 
t = ctx>nblocks; 
292 
if (sizeof t == sizeof ctx>nblocks) 
293 
th = ctx>nblocks_high; 
294 
else

295 
th = 0;

296  
297 
/* multiply by 64 to make a byte count */

298 
lsb = t << 6;

299 
msb = (th << 6)  (t >> 26); 
300 
/* add the count */

301 
t = lsb; 
302 
if ((lsb += ctx>count) < t)

303 
msb++; 
304 
/* multiply by 8 to make a bit count */

305 
t = lsb; 
306 
lsb <<= 3;

307 
msb <<= 3;

308 
msb = t >> 29;

309  
310 
if (ctx>count < 56) 
311 
{ /* enough room */

312 
ctx>buf[ctx>count++] = 0x80; /* pad */ 
313 
while (ctx>count < 56) 
314 
ctx>buf[ctx>count++] = 0; /* pad */ 
315 
} 
316 
else

317 
{ /* need one extra block */

318 
ctx>buf[ctx>count++] = 0x80; /* pad character */ 
319 
while (ctx>count < 64) 
320 
ctx>buf[ctx>count++] = 0;

321 
sha256_update(ctx, NULL, 0); /* flush */; 
322 
memset (ctx>buf, 0, 56 ); /* fill next block with zeroes */ 
323 
} 
324 
/* append the 64 bit count */

325 
put_u32(ctx>buf + 56, msb);

326 
put_u32(ctx>buf + 60, lsb);

327 
sha256_transform(ctx, ctx>buf, 1);

328  
329 
p = ctx>buf; 
330  
331 
#define X(a) do { put_u32(p, ctx>h##a); p += 4; } while(0) 
332 
X(0);

333 
X(1);

334 
X(2);

335 
X(3);

336 
X(4);

337 
X(5);

338 
X(6);

339 
X(7);

340 
#undef X

341  
342 
return ctx>buf;

343 
} 
344  
345  
346 
/*

347 
* SHA256HMAC

348 
*/

349  
350 
static void 
351 
sha256_hash_buffer(byte *outbuf, const byte *buffer, size_t length)

352 
{ 
353 
struct sha256_context hd_tmp;

354  
355 
sha256_init(&hd_tmp); 
356 
sha256_update(&hd_tmp, buffer, length); 
357 
memcpy(outbuf, sha256_final(&hd_tmp), SHA256_SIZE); 
358 
} 
359  
360 
void

361 
sha256_hmac_init(struct sha256_hmac_context *ctx, const byte *key, size_t keylen) 
362 
{ 
363 
byte keybuf[SHA256_BLOCK_SIZE], buf[SHA256_BLOCK_SIZE]; 
364  
365 
/* Hash the key if necessary */

366 
if (keylen <= SHA256_BLOCK_SIZE)

367 
{ 
368 
memcpy(keybuf, key, keylen); 
369 
bzero(keybuf + keylen, SHA256_BLOCK_SIZE  keylen); 
370 
} 
371 
else

372 
{ 
373 
sha256_hash_buffer(keybuf, key, keylen); 
374 
bzero(keybuf + SHA256_SIZE, SHA256_BLOCK_SIZE  SHA256_SIZE); 
375 
} 
376  
377 
/* Initialize the inner digest */

378 
sha256_init(&ctx>ictx); 
379 
int i;

380 
for (i = 0; i < SHA256_BLOCK_SIZE; i++) 
381 
buf[i] = keybuf[i] ^ 0x36;

382 
sha256_update(&ctx>ictx, buf, SHA256_BLOCK_SIZE); 
383  
384 
/* Initialize the outer digest */

385 
sha256_init(&ctx>octx); 
386 
for (i = 0; i < SHA256_BLOCK_SIZE; i++) 
387 
buf[i] = keybuf[i] ^ 0x5c;

388 
sha256_update(&ctx>octx, buf, SHA256_BLOCK_SIZE); 
389 
} 
390  
391 
void sha256_hmac_update(struct sha256_hmac_context *ctx, const byte *buf, size_t buflen) 
392 
{ 
393 
/* Just update the inner digest */

394 
sha256_update(&ctx>ictx, buf, buflen); 
395 
} 
396  
397 
byte *sha256_hmac_final(struct sha256_hmac_context *ctx)

398 
{ 
399 
/* Finish the inner digest */

400 
byte *isha = sha256_final(&ctx>ictx); 
401  
402 
/* Finish the outer digest */

403 
sha256_update(&ctx>octx, isha, SHA256_SIZE); 
404 
return sha256_final(&ctx>octx);

405 
} 
406  
407  
408 
/*

409 
* SHA224HMAC

410 
*/

411  
412 
static void 
413 
sha224_hash_buffer(byte *outbuf, const byte *buffer, size_t length)

414 
{ 
415 
struct sha224_context hd_tmp;

416  
417 
sha224_init(&hd_tmp); 
418 
sha224_update(&hd_tmp, buffer, length); 
419 
memcpy(outbuf, sha224_final(&hd_tmp), SHA224_SIZE); 
420 
} 
421  
422 
void

423 
sha224_hmac_init(struct sha224_hmac_context *ctx, const byte *key, size_t keylen) 
424 
{ 
425 
byte keybuf[SHA224_BLOCK_SIZE], buf[SHA224_BLOCK_SIZE]; 
426  
427 
/* Hash the key if necessary */

428 
if (keylen <= SHA224_BLOCK_SIZE)

429 
{ 
430 
memcpy(keybuf, key, keylen); 
431 
bzero(keybuf + keylen, SHA224_BLOCK_SIZE  keylen); 
432 
} 
433 
else

434 
{ 
435 
sha224_hash_buffer(keybuf, key, keylen); 
436 
bzero(keybuf + SHA224_SIZE, SHA224_BLOCK_SIZE  SHA224_SIZE); 
437 
} 
438  
439 
/* Initialize the inner digest */

440 
sha224_init(&ctx>ictx); 
441 
int i;

442 
for (i = 0; i < SHA224_BLOCK_SIZE; i++) 
443 
buf[i] = keybuf[i] ^ 0x36;

444 
sha224_update(&ctx>ictx, buf, SHA224_BLOCK_SIZE); 
445  
446 
/* Initialize the outer digest */

447 
sha224_init(&ctx>octx); 
448 
for (i = 0; i < SHA224_BLOCK_SIZE; i++) 
449 
buf[i] = keybuf[i] ^ 0x5c;

450 
sha224_update(&ctx>octx, buf, SHA224_BLOCK_SIZE); 
451 
} 
452  
453 
void sha224_hmac_update(struct sha224_hmac_context *ctx, const byte *buf, size_t buflen) 
454 
{ 
455 
/* Just update the inner digest */

456 
sha256_update(&ctx>ictx, buf, buflen); 
457 
} 
458  
459 
byte *sha224_hmac_final(struct sha224_hmac_context *ctx)

460 
{ 
461 
/* Finish the inner digest */

462 
byte *isha = sha224_final(&ctx>ictx); 
463  
464 
/* Finish the outer digest */

465 
sha224_update(&ctx>octx, isha, SHA224_SIZE); 
466 
return sha224_final(&ctx>octx);

467 
} 