search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
"crayon" license replaced with CC0 waiver
[rofl0r-kripto.git] / lib / hash / sha2_256.c
blob785fd3aa8afa74f6dd4722cbfe6f3e7881cbafcf
1 /*
2 * Written in 2013 by Gregor Pintar <grpintar@gmail.com>
3 *
4 * To the extent possible under law, the author(s) have dedicated
5 * all copyright and related and neighboring rights to this software
6 * to the public domain worldwide.
7 *
8 * This software is distributed without any warranty.
9 *
10 * You should have received a copy of the CC0 Public Domain Dedication.
11 * If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
12 */
13
14 #include <stdint.h>
15 #include <stddef.h>
16 #include <stdlib.h>
17 #include <limits.h>
18 #include <assert.h>
19
20 #include <kripto/cast.h>
21 #include <kripto/loadstore.h>
22 #include <kripto/rotate.h>
23 #include <kripto/memwipe.h>
24 #include <kripto/hash.h>
25 #include <kripto/desc/hash.h>
26 #include <kripto/object/hash.h>
27
28 #include <kripto/hash/sha2_256.h>
29
30 struct kripto_hash
31 {
32 struct kripto_hash_object obj;
33 uint64_t len;
34 uint32_t h[8];
35 uint8_t buf[64];
36 unsigned int r;
37 unsigned int i;
38 int o;
39 };
40
41 #define CH(X0, X1, X2) (X2 ^ (X0 & (X1 ^ X2)))
42 #define MAJ(X0, X1, X2) ((X0 & X1) | (X2 & (X0 | X1)))
43
44 #define S0(X) (ROR32(X, 7) ^ ROR32(X, 18) ^ ((X) >> 3))
45 #define S1(X) (ROR32(X, 17) ^ ROR32(X, 19) ^ ((X) >> 10))
46
47 #define E0(X) (ROR32(X, 2) ^ ROR32(X, 13) ^ ROR32(X, 22))
48 #define E1(X) (ROR32(X, 6) ^ ROR32(X, 11) ^ ROR32(X, 25))
49
50 static const uint32_t k[128] =
51 {
52 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
53 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
54 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
55 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
56 0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
57 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
58 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
59 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
60 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
61 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
62 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
63 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
64 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
65 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
66 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
67 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
68 0xCA273ECE, 0xD186B8C7, 0xEADA7DD6, 0xF57D4F7F,
69 0x06F067AA, 0x0A637DC5, 0x113F9804, 0x1B710B35,
70 0x28DB77F5, 0x32CAAB7B, 0x3C9EBE0A, 0x431D67C4,
71 0x4CC5D4BE, 0x597F299C, 0x5FCB6FAB, 0x6C44198C,
72 0x7BA0EA2D, 0x7EABF2D0, 0x8DBE8D03, 0x90BB1721,
73 0x99A2AD45, 0x9F86E289, 0xA84C4472, 0xB3DF34FC,
74 0xB99BB8D7, 0xBC76CBAB, 0xC226A69A, 0xD304F19A,
75 0xDE1BE20A, 0xE39BB437, 0xEE84927C, 0xF3EDD277,
76 0xFBFDFE53, 0x0BEE2C7A, 0x0E90181C, 0x25F57204,
77 0x2DA45582, 0x3A52C34C, 0x41DC0172, 0x495796FC,
78 0x4BD31FC6, 0x533CDE21, 0x5F7ABFE3, 0x66C206B3,
79 0x6DFCC6BC, 0x7062F20F, 0x778D5127, 0x7EABA3CC,
80 0x8363ECCC, 0x85BE1C25, 0x93C04028, 0x9F4A205F,
81 0xA1953565, 0xA627BB0F, 0xACFA8089, 0xB3C29B23,
82 0xB602F6FA, 0xC36CEE0A, 0xC7DC81EE, 0xCE7B8471,
83 0xD740288C, 0xE21DBA7A, 0xEABBFF66, 0xF56A9E60
84 };
85
86 static kripto_hash *sha2_256_recreate
87 (
88 kripto_hash *s,
89 unsigned int r,
90 size_t len
91 )
92 {
93 s->len = s->o = s->i = 0;
94
95 s->r = r;
96 if(!s->r) s->r = 64;
97
98 if(len > 28)
99 {
100 /* 256 */
101 s->h[0] = 0x6A09E667;
102 s->h[1] = 0xBB67AE85;
103 s->h[2] = 0x3C6EF372;
104 s->h[3] = 0xA54FF53A;
105 s->h[4] = 0x510E527F;
106 s->h[5] = 0x9B05688C;
107 s->h[6] = 0x1F83D9AB;
108 s->h[7] = 0x5BE0CD19;
109 }
110 else
111 {
112 /* 224 */
113 s->h[0] = 0xC1059ED8;
114 s->h[1] = 0x367CD507;
115 s->h[2] = 0x3070DD17;
116 s->h[3] = 0xF70E5939;
117 s->h[4] = 0xFFC00B31;
118 s->h[5] = 0x68581511;
119 s->h[6] = 0x64F98FA7;
120 s->h[7] = 0xBEFA4FA4;
121 }
122
123 return s;
124 }
125
126 static void sha2_256_process(kripto_hash *s, const uint8_t *data)
127 {
128 uint32_t a = s->h[0];
129 uint32_t b = s->h[1];
130 uint32_t c = s->h[2];
131 uint32_t d = s->h[3];
132 uint32_t e = s->h[4];
133 uint32_t f = s->h[5];
134 uint32_t g = s->h[6];
135 uint32_t h = s->h[7];
136 uint32_t t;
137 uint32_t w[128];
138 unsigned int i;
139
140 w[0] = LOAD32B(data);
141 w[1] = LOAD32B(data + 4);
142 w[2] = LOAD32B(data + 8);
143 w[3] = LOAD32B(data + 12);
144 w[4] = LOAD32B(data + 16);
145 w[5] = LOAD32B(data + 20);
146 w[6] = LOAD32B(data + 24);
147 w[7] = LOAD32B(data + 28);
148 w[8] = LOAD32B(data + 32);
149 w[9] = LOAD32B(data + 36);
150 w[10] = LOAD32B(data + 40);
151 w[11] = LOAD32B(data + 44);
152 w[12] = LOAD32B(data + 48);
153 w[13] = LOAD32B(data + 52);
154 w[14] = LOAD32B(data + 56);
155 w[15] = LOAD32B(data + 60);
156
157 for(i = 16; i < s->r; i++)
158 w[i] = w[i - 16] + S0(w[i - 15]) + w[i - 7] + S1(w[i - 2]);
159
160 for(i = 0; i < s->r; i++)
161 {
162 h += E1(e) + CH(e, f, g) + k[i] + w[i];
163 d += h;
164 h += E0(a) + MAJ(a, b, c);
165
166 t = h;
167 h = g;
168 g = f;
169 f = e;
170 e = d;
171 d = c;
172 c = b;
173 b = a;
174 a = t;
175 }
176
177 kripto_memwipe(w, s->r << 2);
178
179 s->h[0] += a;
180 s->h[1] += b;
181 s->h[2] += c;
182 s->h[3] += d;
183 s->h[4] += e;
184 s->h[5] += f;
185 s->h[6] += g;
186 s->h[7] += h;
187 }
188
189 static void sha2_256_input
190 (
191 kripto_hash *s,
192 const void *in,
193 size_t len
194 )
195 {
196 size_t i;
197
198 s->len += len << 3;
199 assert(s->len >= len << 3);
200
201 for(i = 0; i < len; i++)
202 {
203 s->buf[s->i++] = CU8(in)[i];
204
205 if(s->i == 64)
206 {
207 sha2_256_process(s, s->buf);
208 s->i = 0;
209 }
210 }
211 }
212
213 static void sha2_256_finish(kripto_hash *s)
214 {
215 s->buf[s->i++] = 0x80; /* pad */
216
217 if(s->i > 56) /* not enough space for length */
218 {
219 while(s->i < 64) s->buf[s->i++] = 0;
220 sha2_256_process(s, s->buf);
221 s->i = 0;
222 }
223 while(s->i < 56) s->buf[s->i++] = 0;
224
225 /* add length */
226 //s->len << 3;
227 STORE64B(s->len, s->buf + 56);
228
229 sha2_256_process(s, s->buf);
230
231 s->i = 0;
232 s->o = -1;
233 }
234
235 static void sha2_256_output(kripto_hash *s, void *out, size_t len)
236 {
237 unsigned int i;
238
239 if(!s->o) sha2_256_finish(s);
240
241 /* big endian */
242 for(i = 0; i < len; s->i++, i++)
243 U8(out)[i] = s->h[s->i >> 2] >> (24 - ((s->i & 3) << 3));
244 }
245
246 static kripto_hash *sha2_256_create(unsigned int r, size_t len)
247 {
248 kripto_hash *s;
249
250 s = malloc(sizeof(kripto_hash));
251 if(!s) return 0;
252
253 s->obj.desc = kripto_hash_sha2_256;
254
255 (void)sha2_256_recreate(s, r, len);
256
257 return s;
258 }
259
260 static void sha2_256_destroy(kripto_hash *s)
261 {
262 kripto_memwipe(s, sizeof(kripto_hash));
263 free(s);
264 }
265
266 static int sha2_256_hash
267 (
268 unsigned int r,
269 const void *in,
270 size_t in_len,
271 void *out,
272 size_t out_len
273 )
274 {
275 kripto_hash s;
276
277 (void)sha2_256_recreate(&s, r, out_len);
278 sha2_256_input(&s, in, in_len);
279 sha2_256_output(&s, out, out_len);
280
281 kripto_memwipe(&s, sizeof(kripto_hash));
282
283 return 0;
284 }
285
286 static const kripto_hash_desc sha2_256 =
287 {
288 &sha2_256_create,
289 &sha2_256_recreate,
290 &sha2_256_input,
291 &sha2_256_output,
292 &sha2_256_destroy,
293 &sha2_256_hash,
294 32, /* max output */
295 64 /* block_size */
296 };
297
298 const kripto_hash_desc *const kripto_hash_sha2_256 = &sha2_256;