Statistics
| Branch: | Revision:

iof-bird-daemon / lib / sha256.c @ 4035e0e7

History | View | Annotate | Download (10.9 KB)

1
/*
2
 *        BIRD Library -- SHA-256 and SHA-224 Hash Functions,
3
 *                        HMAC-SHA-256 and HMAC-SHA-224 Functions
4
 *
5
 *        (c) 2015 CZ.NIC z.s.p.o.
6
 *
7
 *        Based on the code from libgcrypt-1.6.0, which is
8
 *        (c) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.
9
 *
10
 *        Can be freely distributed and used under the terms of the GNU GPL.
11
 */
12

    
13
#include "lib/sha256.h"
14
#include "lib/unaligned.h"
15

    
16
static uint sha256_transform(void *ctx, const byte *data, size_t nblks);
17

    
18
void
19
sha256_init(struct sha256_context *ctx)
20
{
21
  ctx->h0 = 0x6a09e667;
22
  ctx->h1 = 0xbb67ae85;
23
  ctx->h2 = 0x3c6ef372;
24
  ctx->h3 = 0xa54ff53a;
25
  ctx->h4 = 0x510e527f;
26
  ctx->h5 = 0x9b05688c;
27
  ctx->h6 = 0x1f83d9ab;
28
  ctx->h7 = 0x5be0cd19;
29

    
30
  ctx->nblocks = 0;
31
  ctx->nblocks_high = 0;
32
  ctx->count = 0;
33
  ctx->blocksize = 64;
34
  ctx->transform = sha256_transform;
35
}
36

    
37
void
38
sha224_init(struct sha224_context *ctx)
39
{
40
  ctx->h0 = 0xc1059ed8;
41
  ctx->h1 = 0x367cd507;
42
  ctx->h2 = 0x3070dd17;
43
  ctx->h3 = 0xf70e5939;
44
  ctx->h4 = 0xffc00b31;
45
  ctx->h5 = 0x68581511;
46
  ctx->h6 = 0x64f98fa7;
47
  ctx->h7 = 0xbefa4fa4;
48

    
49
  ctx->nblocks = 0;
50
  ctx->nblocks_high = 0;
51
  ctx->count = 0;
52
  ctx->blocksize = 64;
53
  ctx->transform = sha256_transform;
54
}
55

    
56
/* (4.2) same as SHA-1's F1.  */
57
static inline u32
58
f1(u32 x, u32 y, u32 z)
59
{
60
  return (z ^ (x & (y ^ z)));
61
}
62

    
63
/* (4.3) same as SHA-1's F3 */
64
static inline u32
65
f3(u32 x, u32 y, u32 z)
66
{
67
  return ((x & y) | (z & (x|y)));
68
}
69

    
70
/* Bitwise rotation of an uint to the right */
71
static inline u32 ror(u32 x, int n)
72
{
73
  return ( (x >> (n&(32-1))) | (x << ((32-n)&(32-1))) );
74
}
75

    
76
/* (4.4) */
77
static inline u32
78
sum0(u32 x)
79
{
80
  return (ror(x, 2) ^ ror(x, 13) ^ ror(x, 22));
81
}
82

    
83
/* (4.5) */
84
static inline u32
85
sum1(u32 x)
86
{
87
  return (ror(x, 6) ^ ror(x, 11) ^ ror(x, 25));
88
}
89

    
90
/*
91
  Transform the message X which consists of 16 32-bit-words. See FIPS
92
  180-2 for details.  */
93
#define S0(x) (ror((x),  7) ^ ror((x), 18) ^ ((x) >>  3))        /* (4.6) */
94
#define S1(x) (ror((x), 17) ^ ror((x), 19) ^ ((x) >> 10))        /* (4.7) */
95
#define R(a,b,c,d,e,f,g,h,k,w)                                        \
96
    do                                                                \
97
    {                                                                \
98
      t1 = (h) + sum1((e)) + f1((e),(f),(g)) + (k) + (w);        \
99
      t2 = sum0((a)) + f3((a),(b),(c));                                \
100
      h = g;                                                        \
101
      g = f;                                                        \
102
      f = e;                                                        \
103
      e = d + t1;                                                \
104
      d = c;                                                        \
105
      c = b;                                                        \
106
      b = a;                                                        \
107
      a = t1 + t2;                                                \
108
    } while (0)
109

    
110
/*
111
    The SHA-256 core: Transform the message X which consists of 16
112
    32-bit-words. See FIPS 180-2 for details.
113
 */
114
static uint
115
sha256_transform_block(struct sha256_context *ctx, const byte *data)
116
{
117
  static const u32 K[64] = {
118
      0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
119
      0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
120
      0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
121
      0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
122
      0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
123
      0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
124
      0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
125
      0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
126
      0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
127
      0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
128
      0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
129
      0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
130
      0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
131
      0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
132
      0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
133
      0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
134
  };
135

    
136
  u32 a,b,c,d,e,f,g,h,t1,t2;
137
  u32 w[64];
138
  int i;
139

    
140
  a = ctx->h0;
141
  b = ctx->h1;
142
  c = ctx->h2;
143
  d = ctx->h3;
144
  e = ctx->h4;
145
  f = ctx->h5;
146
  g = ctx->h6;
147
  h = ctx->h7;
148

    
149
  for (i = 0; i < 16; i++)
150
    w[i] = get_u32(data + i * 4);
151
  for (; i < 64; i++)
152
    w[i] = S1(w[i-2]) + w[i-7] + S0(w[i-15]) + w[i-16];
153

    
154
  for (i = 0; i < 64;)
155
  {
156
    t1 = h + sum1(e) + f1(e, f, g) + K[i] + w[i];
157
    t2 = sum0 (a) + f3(a, b, c);
158
    d += t1;
159
    h  = t1 + t2;
160

    
161
    t1 = g + sum1(d) + f1(d, e, f) + K[i+1] + w[i+1];
162
    t2 = sum0 (h) + f3(h, a, b);
163
    c += t1;
164
    g  = t1 + t2;
165

    
166
    t1 = f + sum1(c) + f1(c, d, e) + K[i+2] + w[i+2];
167
    t2 = sum0 (g) + f3(g, h, a);
168
    b += t1;
169
    f  = t1 + t2;
170

    
171
    t1 = e + sum1(b) + f1(b, c, d) + K[i+3] + w[i+3];
172
    t2 = sum0 (f) + f3(f, g, h);
173
    a += t1;
174
    e  = t1 + t2;
175

    
176
    t1 = d + sum1(a) + f1(a, b, c) + K[i+4] + w[i+4];
177
    t2 = sum0 (e) + f3(e, f, g);
178
    h += t1;
179
    d  = t1 + t2;
180

    
181
    t1 = c + sum1(h) + f1(h, a, b) + K[i+5] + w[i+5];
182
    t2 = sum0 (d) + f3(d, e, f);
183
    g += t1;
184
    c  = t1 + t2;
185

    
186
    t1 = b + sum1(g) + f1(g, h, a) + K[i+6] + w[i+6];
187
    t2 = sum0 (c) + f3(c, d, e);
188
    f += t1;
189
    b  = t1 + t2;
190

    
191
    t1 = a + sum1(f) + f1(f, g, h) + K[i+7] + w[i+7];
192
    t2 = sum0 (b) + f3(b, c, d);
193
    e += t1;
194
    a  = t1 + t2;
195

    
196
    i += 8;
197
  }
198

    
199
  ctx->h0 += a;
200
  ctx->h1 += b;
201
  ctx->h2 += c;
202
  ctx->h3 += d;
203
  ctx->h4 += e;
204
  ctx->h5 += f;
205
  ctx->h6 += g;
206
  ctx->h7 += h;
207

    
208
  return /*burn_stack*/ 74*4+32;
209
}
210
#undef S0
211
#undef S1
212
#undef R
213

    
214
static uint
215
sha256_transform(void *ctx, const byte *data, size_t nblks)
216
{
217
  struct sha256_context *hd = ctx;
218
  uint burn;
219

    
220
  do
221
  {
222
    burn = sha256_transform_block(hd, data);
223
    data += 64;
224
  }
225
  while (--nblks);
226

    
227
  return burn;
228
}
229

    
230
/* Common function to write a chunk of data to the transform function
231
   of a hash algorithm.  Note that the use of the term "block" does
232
   not imply a fixed size block.  Note that we explicitly allow to use
233
   this function after the context has been finalized; the result does
234
   not have any meaning but writing after finalize is sometimes
235
   helpful to mitigate timing attacks. */
236
void
237
sha256_update(struct sha256_context *ctx, const byte *in_buf, size_t in_len)
238
{
239
  const uint blocksize = ctx->blocksize;
240
  size_t inblocks;
241

    
242
  if (sizeof(ctx->buf) < blocksize)
243
    debug("BUG: in file %s at line %d", __FILE__ , __LINE__);
244

    
245
  if (ctx->count == blocksize)  /* Flush the buffer. */
246
  {
247
    ctx->transform(ctx, ctx->buf, 1);
248
    ctx->count = 0;
249
    if (!++ctx->nblocks)
250
      ctx->nblocks_high++;
251
  }
252
  if (!in_buf)
253
    return;
254

    
255
  if (ctx->count)
256
  {
257
    for (; in_len && ctx->count < blocksize; in_len--)
258
      ctx->buf[ctx->count++] = *in_buf++;
259
    sha256_update(ctx, NULL, 0);
260
    if (!in_len)
261
      return;
262
  }
263

    
264
  if (in_len >= blocksize)
265
  {
266
    inblocks = in_len / blocksize;
267
    ctx->transform(ctx, in_buf, inblocks);
268
    ctx->count = 0;
269
    ctx->nblocks_high += (ctx->nblocks + inblocks < inblocks);
270
    ctx->nblocks += inblocks;
271
    in_len -= inblocks * blocksize;
272
    in_buf += inblocks * blocksize;
273
  }
274
  for (; in_len && ctx->count < blocksize; in_len--)
275
    ctx->buf[ctx->count++] = *in_buf++;
276
}
277

    
278
/*
279
   The routine finally terminates the computation and returns the
280
   digest.  The handle is prepared for a new cycle, but adding bytes
281
   to the handle will the destroy the returned buffer.  Returns: 32
282
   bytes with the message the digest.  */
283
byte*
284
sha256_final(struct sha256_context *ctx)
285
{
286
  u32 t, th, msb, lsb;
287
  byte *p;
288

    
289
  sha256_update(ctx, NULL, 0); /* flush */;
290

    
291
  t = ctx->nblocks;
292
  if (sizeof t == sizeof ctx->nblocks)
293
    th = ctx->nblocks_high;
294
  else
295
    th = 0;
296

    
297
  /* multiply by 64 to make a byte count */
298
  lsb = t << 6;
299
  msb = (th << 6) | (t >> 26);
300
  /* add the count */
301
  t = lsb;
302
  if ((lsb += ctx->count) < t)
303
    msb++;
304
  /* multiply by 8 to make a bit count */
305
  t = lsb;
306
  lsb <<= 3;
307
  msb <<= 3;
308
  msb |= t >> 29;
309

    
310
  if (ctx->count < 56)
311
  { /* enough room */
312
    ctx->buf[ctx->count++] = 0x80; /* pad */
313
    while (ctx->count < 56)
314
      ctx->buf[ctx->count++] = 0;  /* pad */
315
  }
316
  else
317
  { /* need one extra block */
318
    ctx->buf[ctx->count++] = 0x80; /* pad character */
319
    while (ctx->count < 64)
320
      ctx->buf[ctx->count++] = 0;
321
    sha256_update(ctx, NULL, 0);  /* flush */;
322
    memset (ctx->buf, 0, 56 ); /* fill next block with zeroes */
323
  }
324
  /* append the 64 bit count */
325
  put_u32(ctx->buf + 56, msb);
326
  put_u32(ctx->buf + 60, lsb);
327
  sha256_transform(ctx, ctx->buf, 1);
328

    
329
  p = ctx->buf;
330

    
331
#define X(a) do { put_u32(p, ctx->h##a); p += 4; } while(0)
332
  X(0);
333
  X(1);
334
  X(2);
335
  X(3);
336
  X(4);
337
  X(5);
338
  X(6);
339
  X(7);
340
#undef X
341

    
342
  return ctx->buf;
343
}
344

    
345

    
346
/*
347
 *         SHA256-HMAC
348
 */
349

    
350
static void
351
sha256_hash_buffer(byte *outbuf, const byte *buffer, size_t length)
352
{
353
  struct sha256_context hd_tmp;
354

    
355
  sha256_init(&hd_tmp);
356
  sha256_update(&hd_tmp, buffer, length);
357
  memcpy(outbuf, sha256_final(&hd_tmp), SHA256_SIZE);
358
}
359

    
360
void
361
sha256_hmac_init(struct sha256_hmac_context *ctx, const byte *key, size_t keylen)
362
{
363
  byte keybuf[SHA256_BLOCK_SIZE], buf[SHA256_BLOCK_SIZE];
364

    
365
  /* Hash the key if necessary */
366
  if (keylen <= SHA256_BLOCK_SIZE)
367
  {
368
    memcpy(keybuf, key, keylen);
369
    bzero(keybuf + keylen, SHA256_BLOCK_SIZE - keylen);
370
  }
371
  else
372
  {
373
    sha256_hash_buffer(keybuf, key, keylen);
374
    bzero(keybuf + SHA256_SIZE, SHA256_BLOCK_SIZE - SHA256_SIZE);
375
  }
376

    
377
  /* Initialize the inner digest */
378
  sha256_init(&ctx->ictx);
379
  int i;
380
  for (i = 0; i < SHA256_BLOCK_SIZE; i++)
381
    buf[i] = keybuf[i] ^ 0x36;
382
  sha256_update(&ctx->ictx, buf, SHA256_BLOCK_SIZE);
383

    
384
  /* Initialize the outer digest */
385
  sha256_init(&ctx->octx);
386
  for (i = 0; i < SHA256_BLOCK_SIZE; i++)
387
    buf[i] = keybuf[i] ^ 0x5c;
388
  sha256_update(&ctx->octx, buf, SHA256_BLOCK_SIZE);
389
}
390

    
391
void sha256_hmac_update(struct sha256_hmac_context *ctx, const byte *buf, size_t buflen)
392
{
393
  /* Just update the inner digest */
394
  sha256_update(&ctx->ictx, buf, buflen);
395
}
396

    
397
byte *sha256_hmac_final(struct sha256_hmac_context *ctx)
398
{
399
  /* Finish the inner digest */
400
  byte *isha = sha256_final(&ctx->ictx);
401

    
402
  /* Finish the outer digest */
403
  sha256_update(&ctx->octx, isha, SHA256_SIZE);
404
  return sha256_final(&ctx->octx);
405
}
406

    
407

    
408
/*
409
 *         SHA224-HMAC
410
 */
411

    
412
static void
413
sha224_hash_buffer(byte *outbuf, const byte *buffer, size_t length)
414
{
415
  struct sha224_context hd_tmp;
416

    
417
  sha224_init(&hd_tmp);
418
  sha224_update(&hd_tmp, buffer, length);
419
  memcpy(outbuf, sha224_final(&hd_tmp), SHA224_SIZE);
420
}
421

    
422
void
423
sha224_hmac_init(struct sha224_hmac_context *ctx, const byte *key, size_t keylen)
424
{
425
  byte keybuf[SHA224_BLOCK_SIZE], buf[SHA224_BLOCK_SIZE];
426

    
427
  /* Hash the key if necessary */
428
  if (keylen <= SHA224_BLOCK_SIZE)
429
  {
430
    memcpy(keybuf, key, keylen);
431
    bzero(keybuf + keylen, SHA224_BLOCK_SIZE - keylen);
432
  }
433
  else
434
  {
435
    sha224_hash_buffer(keybuf, key, keylen);
436
    bzero(keybuf + SHA224_SIZE, SHA224_BLOCK_SIZE - SHA224_SIZE);
437
  }
438

    
439
  /* Initialize the inner digest */
440
  sha224_init(&ctx->ictx);
441
  int i;
442
  for (i = 0; i < SHA224_BLOCK_SIZE; i++)
443
    buf[i] = keybuf[i] ^ 0x36;
444
  sha224_update(&ctx->ictx, buf, SHA224_BLOCK_SIZE);
445

    
446
  /* Initialize the outer digest */
447
  sha224_init(&ctx->octx);
448
  for (i = 0; i < SHA224_BLOCK_SIZE; i++)
449
    buf[i] = keybuf[i] ^ 0x5c;
450
  sha224_update(&ctx->octx, buf, SHA224_BLOCK_SIZE);
451
}
452

    
453
void sha224_hmac_update(struct sha224_hmac_context *ctx, const byte *buf, size_t buflen)
454
{
455
  /* Just update the inner digest */
456
  sha256_update(&ctx->ictx, buf, buflen);
457
}
458

    
459
byte *sha224_hmac_final(struct sha224_hmac_context *ctx)
460
{
461
  /* Finish the inner digest */
462
  byte *isha = sha224_final(&ctx->ictx);
463

    
464
  /* Finish the outer digest */
465
  sha224_update(&ctx->octx, isha, SHA224_SIZE);
466
  return sha224_final(&ctx->octx);
467
}