iofbird / bird2.0.1 / lib / sha256.c @ 6b3f1a54
History  View  Annotate  Download (7.33 KB)
1 
/*


2 
* BIRD Library  SHA256 and SHA224 Hash Functions

3 
*

4 
* (c) 2015 CZ.NIC z.s.p.o.

5 
*

6 
* Based on the code from libgcrypt1.6.0, which is

7 
* (c) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.

8 
*

9 
* Can be freely distributed and used under the terms of the GNU GPL.

10 
*/

11  
12 
#include "lib/sha256.h" 
13 
#include "lib/unaligned.h" 
14  
15  
16 
// #define SHA256_UNROLLED

17  
18 
void

19 
sha256_init(struct hash_context *CTX)

20 
{ 
21 
struct sha256_context *ctx = (void *) CTX; 
22  
23 
ctx>h0 = 0x6a09e667;

24 
ctx>h1 = 0xbb67ae85;

25 
ctx>h2 = 0x3c6ef372;

26 
ctx>h3 = 0xa54ff53a;

27 
ctx>h4 = 0x510e527f;

28 
ctx>h5 = 0x9b05688c;

29 
ctx>h6 = 0x1f83d9ab;

30 
ctx>h7 = 0x5be0cd19;

31  
32 
ctx>nblocks = 0;

33 
ctx>count = 0;

34 
} 
35  
36 
void

37 
sha224_init(struct hash_context *CTX)

38 
{ 
39 
struct sha224_context *ctx = (void *) CTX; 
40  
41 
ctx>h0 = 0xc1059ed8;

42 
ctx>h1 = 0x367cd507;

43 
ctx>h2 = 0x3070dd17;

44 
ctx>h3 = 0xf70e5939;

45 
ctx>h4 = 0xffc00b31;

46 
ctx>h5 = 0x68581511;

47 
ctx>h6 = 0x64f98fa7;

48 
ctx>h7 = 0xbefa4fa4;

49  
50 
ctx>nblocks = 0;

51 
ctx>count = 0;

52 
} 
53  
54 
/* (4.2) same as SHA1's F1. */

55 
static inline u32 
56 
f1(u32 x, u32 y, u32 z) 
57 
{ 
58 
return (z ^ (x & (y ^ z)));

59 
} 
60  
61 
/* (4.3) same as SHA1's F3 */

62 
static inline u32 
63 
f3(u32 x, u32 y, u32 z) 
64 
{ 
65 
return ((x & y)  (z & (xy)));

66 
} 
67  
68 
/* Bitwise rotation of an uint to the right */

69 
static inline u32 ror(u32 x, int n) 
70 
{ 
71 
return ((x >> (n&(321)))  (x << ((32n)&(321)))); 
72 
} 
73  
74 
/* (4.4) */

75 
static inline u32 
76 
sum0(u32 x) 
77 
{ 
78 
return (ror(x, 2) ^ ror(x, 13) ^ ror(x, 22)); 
79 
} 
80  
81 
/* (4.5) */

82 
static inline u32 
83 
sum1(u32 x) 
84 
{ 
85 
return (ror(x, 6) ^ ror(x, 11) ^ ror(x, 25)); 
86 
} 
87  
88 
/*

89 
Transform the message X which consists of 16 32bitwords. See FIPS

90 
1802 for details. */

91 
#define S0(x) (ror((x), 7) ^ ror((x), 18) ^ ((x) >> 3)) /* (4.6) */ 
92 
#define S1(x) (ror((x), 17) ^ ror((x), 19) ^ ((x) >> 10)) /* (4.7) */ 
93 
#define R(a,b,c,d,e,f,g,h,k,w) \

94 
do \

95 
{ \ 
96 
t1 = (h) + sum1((e)) + f1((e),(f),(g)) + (k) + (w); \ 
97 
t2 = sum0((a)) + f3((a),(b),(c)); \ 
98 
h = g; \ 
99 
g = f; \ 
100 
f = e; \ 
101 
e = d + t1; \ 
102 
d = c; \ 
103 
c = b; \ 
104 
b = a; \ 
105 
a = t1 + t2; \ 
106 
} while (0) 
107  
108 
/*

109 
The SHA256 core: Transform the message X which consists of 16

110 
32bitwords. See FIPS 1802 for details.

111 
*/

112 
static uint

113 
sha256_transform(struct sha256_context *ctx, const byte *data) 
114 
{ 
115 
static const u32 K[64] = { 
116 
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 
117 
0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 
118 
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 
119 
0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 
120 
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 
121 
0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 
122 
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 
123 
0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 
124 
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 
125 
0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 
126 
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 
127 
0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 
128 
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 
129 
0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 
130 
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 
131 
0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 
132 
}; 
133  
134 
u32 a,b,c,d,e,f,g,h,t1,t2; 
135 
u32 w[64];

136 
int i;

137  
138 
a = ctx>h0; 
139 
b = ctx>h1; 
140 
c = ctx>h2; 
141 
d = ctx>h3; 
142 
e = ctx>h4; 
143 
f = ctx>h5; 
144 
g = ctx>h6; 
145 
h = ctx>h7; 
146  
147 
for (i = 0; i < 16; i++) 
148 
w[i] = get_u32(data + i * 4);

149  
150 
for (; i < 64; i++) 
151 
w[i] = S1(w[i2]) + w[i7] + S0(w[i15]) + w[i16]; 
152  
153 
for (i = 0; i < 64;) 
154 
{ 
155 
#ifndef SHA256_UNROLLED

156 
R(a,b,c,d,e,f,g,h,K[i],w[i]); 
157 
i++; 
158 
#else /* Unrolled */ 
159 
t1 = h + sum1(e) + f1(e, f, g) + K[i] + w[i]; 
160 
t2 = sum0(a) + f3(a, b, c); 
161 
d += t1; 
162 
h = t1 + t2; 
163  
164 
t1 = g + sum1(d) + f1(d, e, f) + K[i+1] + w[i+1]; 
165 
t2 = sum0(h) + f3(h, a, b); 
166 
c += t1; 
167 
g = t1 + t2; 
168  
169 
t1 = f + sum1(c) + f1(c, d, e) + K[i+2] + w[i+2]; 
170 
t2 = sum0(g) + f3(g, h, a); 
171 
b += t1; 
172 
f = t1 + t2; 
173  
174 
t1 = e + sum1(b) + f1(b, c, d) + K[i+3] + w[i+3]; 
175 
t2 = sum0(f) + f3(f, g, h); 
176 
a += t1; 
177 
e = t1 + t2; 
178  
179 
t1 = d + sum1(a) + f1(a, b, c) + K[i+4] + w[i+4]; 
180 
t2 = sum0(e) + f3(e, f, g); 
181 
h += t1; 
182 
d = t1 + t2; 
183  
184 
t1 = c + sum1(h) + f1(h, a, b) + K[i+5] + w[i+5]; 
185 
t2 = sum0(d) + f3(d, e, f); 
186 
g += t1; 
187 
c = t1 + t2; 
188  
189 
t1 = b + sum1(g) + f1(g, h, a) + K[i+6] + w[i+6]; 
190 
t2 = sum0(c) + f3(c, d, e); 
191 
f += t1; 
192 
b = t1 + t2; 
193  
194 
t1 = a + sum1(f) + f1(f, g, h) + K[i+7] + w[i+7]; 
195 
t2 = sum0(b) + f3(b, c, d); 
196 
e += t1; 
197 
a = t1 + t2; 
198  
199 
i += 8;

200 
#endif

201 
} 
202  
203 
ctx>h0 += a; 
204 
ctx>h1 += b; 
205 
ctx>h2 += c; 
206 
ctx>h3 += d; 
207 
ctx>h4 += e; 
208 
ctx>h5 += f; 
209 
ctx>h6 += g; 
210 
ctx>h7 += h; 
211  
212 
return /*burn_stack*/ 74*4+32; 
213 
} 
214 
#undef S0

215 
#undef S1

216 
#undef R

217  
218 
/* Common function to write a chunk of data to the transform function

219 
of a hash algorithm. Note that the use of the term "block" does

220 
not imply a fixed size block. Note that we explicitly allow to use

221 
this function after the context has been finalized; the result does

222 
not have any meaning but writing after finalize is sometimes

223 
helpful to mitigate timing attacks. */

224 
void

225 
sha256_update(struct hash_context *CTX, const byte *buf, uint len) 
226 
{ 
227 
struct sha256_context *ctx = (void *) CTX; 
228  
229 
if (ctx>count)

230 
{ 
231 
/* Fill rest of internal buffer */

232 
for (; len && ctx>count < SHA256_BLOCK_SIZE; len)

233 
ctx>buf[ctx>count++] = *buf++; 
234  
235 
if (ctx>count < SHA256_BLOCK_SIZE)

236 
return;

237  
238 
/* Process data from internal buffer */

239 
sha256_transform(ctx, ctx>buf); 
240 
ctx>nblocks++; 
241 
ctx>count = 0;

242 
} 
243  
244 
if (!len)

245 
return;

246  
247 
/* Process data from input buffer */

248 
while (len >= SHA256_BLOCK_SIZE)

249 
{ 
250 
sha256_transform(ctx, buf); 
251 
ctx>nblocks++; 
252 
buf += SHA256_BLOCK_SIZE; 
253 
len = SHA256_BLOCK_SIZE; 
254 
} 
255  
256 
/* Copy remaining data to internal buffer */

257 
memcpy(ctx>buf, buf, len); 
258 
ctx>count = len; 
259 
} 
260  
261 
/*

262 
* The routine finally terminates the computation and returns the digest. The

263 
* handle is prepared for a new cycle, but adding bytes to the handle will the

264 
* destroy the returned buffer.

265 
*

266 
* Returns: 32 bytes with the message the digest. 28 bytes for SHA224.

267 
*/

268 
byte * 
269 
sha256_final(struct hash_context *CTX)

270 
{ 
271 
struct sha256_context *ctx = (void *) CTX; 
272 
u32 t, th, msb, lsb; 
273  
274 
sha256_update(CTX, NULL, 0); /* flush */ 
275  
276 
t = ctx>nblocks; 
277 
th = 0;

278  
279 
/* multiply by 64 to make a byte count */

280 
lsb = t << 6;

281 
msb = (th << 6)  (t >> 26); 
282 
/* add the count */

283 
t = lsb; 
284 
if ((lsb += ctx>count) < t)

285 
msb++; 
286 
/* multiply by 8 to make a bit count */

287 
t = lsb; 
288 
lsb <<= 3;

289 
msb <<= 3;

290 
msb = t >> 29;

291  
292 
if (ctx>count < 56) 
293 
{ 
294 
/* enough room */

295 
ctx>buf[ctx>count++] = 0x80; /* pad */ 
296 
while (ctx>count < 56) 
297 
ctx>buf[ctx>count++] = 0; /* pad */ 
298 
} 
299 
else

300 
{ 
301 
/* need one extra block */

302 
ctx>buf[ctx>count++] = 0x80; /* pad character */ 
303 
while (ctx>count < 64) 
304 
ctx>buf[ctx>count++] = 0;

305 
sha256_update(CTX, NULL, 0); /* flush */; 
306 
memset(ctx>buf, 0, 56 ); /* fill next block with zeroes */ 
307 
} 
308  
309 
/* append the 64 bit count */

310 
put_u32(ctx>buf + 56, msb);

311 
put_u32(ctx>buf + 60, lsb);

312 
sha256_transform(ctx, ctx>buf); 
313  
314 
byte *p = ctx>buf; 
315 
#define X(a) do { put_u32(p, ctx>h##a); p += 4; } while(0) 
316 
X(0);

317 
X(1);

318 
X(2);

319 
X(3);

320 
X(4);

321 
X(5);

322 
X(6);

323 
X(7);

324 
#undef X

325  
326 
return ctx>buf;

327 
} 