1 /* $Cambridge: exim/src/src/pdkim/sha2.c,v 1.1.2.1 2009/02/24 13:13:47 tom Exp $ */
3 * FIPS-180-2 compliant SHA-256 implementation
5 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
7 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
26 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
35 * 32-bit integer manipulation macros (big endian)
38 #define GET_ULONG_BE(n,b,i) \
40 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
41 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
42 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
43 | ( (unsigned long) (b)[(i) + 3] ); \
48 #define PUT_ULONG_BE(n,b,i) \
50 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
51 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
52 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
53 (b)[(i) + 3] = (unsigned char) ( (n) ); \
58 * SHA-256 context setup
60 void sha2_starts( sha2_context *ctx, int is224 )
68 ctx->state[0] = 0x6A09E667;
69 ctx->state[1] = 0xBB67AE85;
70 ctx->state[2] = 0x3C6EF372;
71 ctx->state[3] = 0xA54FF53A;
72 ctx->state[4] = 0x510E527F;
73 ctx->state[5] = 0x9B05688C;
74 ctx->state[6] = 0x1F83D9AB;
75 ctx->state[7] = 0x5BE0CD19;
80 ctx->state[0] = 0xC1059ED8;
81 ctx->state[1] = 0x367CD507;
82 ctx->state[2] = 0x3070DD17;
83 ctx->state[3] = 0xF70E5939;
84 ctx->state[4] = 0xFFC00B31;
85 ctx->state[5] = 0x68581511;
86 ctx->state[6] = 0x64F98FA7;
87 ctx->state[7] = 0xBEFA4FA4;
93 static void sha2_process( sha2_context *ctx, unsigned char data[64] )
95 unsigned long temp1, temp2, W[64];
96 unsigned long A, B, C, D, E, F, G, H;
98 GET_ULONG_BE( W[ 0], data, 0 );
99 GET_ULONG_BE( W[ 1], data, 4 );
100 GET_ULONG_BE( W[ 2], data, 8 );
101 GET_ULONG_BE( W[ 3], data, 12 );
102 GET_ULONG_BE( W[ 4], data, 16 );
103 GET_ULONG_BE( W[ 5], data, 20 );
104 GET_ULONG_BE( W[ 6], data, 24 );
105 GET_ULONG_BE( W[ 7], data, 28 );
106 GET_ULONG_BE( W[ 8], data, 32 );
107 GET_ULONG_BE( W[ 9], data, 36 );
108 GET_ULONG_BE( W[10], data, 40 );
109 GET_ULONG_BE( W[11], data, 44 );
110 GET_ULONG_BE( W[12], data, 48 );
111 GET_ULONG_BE( W[13], data, 52 );
112 GET_ULONG_BE( W[14], data, 56 );
113 GET_ULONG_BE( W[15], data, 60 );
115 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
116 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
118 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
119 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
121 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
122 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
124 #define F0(x,y,z) ((x & y) | (z & (x | y)))
125 #define F1(x,y,z) (z ^ (x & (y ^ z)))
129 W[t] = S1(W[t - 2]) + W[t - 7] + \
130 S0(W[t - 15]) + W[t - 16] \
133 #define P(a,b,c,d,e,f,g,h,x,K) \
135 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
136 temp2 = S2(a) + F0(a,b,c); \
137 d += temp1; h = temp1 + temp2; \
149 P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98 );
150 P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491 );
151 P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF );
152 P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5 );
153 P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B );
154 P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1 );
155 P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4 );
156 P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5 );
157 P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98 );
158 P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01 );
159 P( G, H, A, B, C, D, E, F, W[10], 0x243185BE );
160 P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3 );
161 P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74 );
162 P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE );
163 P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7 );
164 P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174 );
165 P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1 );
166 P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786 );
167 P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6 );
168 P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC );
169 P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F );
170 P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA );
171 P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC );
172 P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA );
173 P( A, B, C, D, E, F, G, H, R(24), 0x983E5152 );
174 P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D );
175 P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8 );
176 P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7 );
177 P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3 );
178 P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147 );
179 P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351 );
180 P( B, C, D, E, F, G, H, A, R(31), 0x14292967 );
181 P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85 );
182 P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138 );
183 P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC );
184 P( F, G, H, A, B, C, D, E, R(35), 0x53380D13 );
185 P( E, F, G, H, A, B, C, D, R(36), 0x650A7354 );
186 P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB );
187 P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E );
188 P( B, C, D, E, F, G, H, A, R(39), 0x92722C85 );
189 P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1 );
190 P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B );
191 P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70 );
192 P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3 );
193 P( E, F, G, H, A, B, C, D, R(44), 0xD192E819 );
194 P( D, E, F, G, H, A, B, C, R(45), 0xD6990624 );
195 P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585 );
196 P( B, C, D, E, F, G, H, A, R(47), 0x106AA070 );
197 P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116 );
198 P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08 );
199 P( G, H, A, B, C, D, E, F, R(50), 0x2748774C );
200 P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5 );
201 P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3 );
202 P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A );
203 P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F );
204 P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3 );
205 P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE );
206 P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F );
207 P( G, H, A, B, C, D, E, F, R(58), 0x84C87814 );
208 P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208 );
209 P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA );
210 P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB );
211 P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7 );
212 P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2 );
225 * SHA-256 process buffer
227 void sha2_update( sha2_context *ctx, unsigned char *input, int ilen )
235 left = ctx->total[0] & 0x3F;
238 ctx->total[0] += ilen;
239 ctx->total[0] &= 0xFFFFFFFF;
241 if( ctx->total[0] < (unsigned long) ilen )
244 if( left && ilen >= fill )
246 memcpy( (void *) (ctx->buffer + left),
247 (void *) input, fill );
248 sha2_process( ctx, ctx->buffer );
256 sha2_process( ctx, input );
263 memcpy( (void *) (ctx->buffer + left),
264 (void *) input, ilen );
268 static const unsigned char sha2_padding[64] =
270 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
271 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
272 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
273 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
277 * SHA-256 final digest
279 void sha2_finish( sha2_context *ctx, unsigned char output[32] )
281 unsigned long last, padn;
282 unsigned long high, low;
283 unsigned char msglen[8];
285 high = ( ctx->total[0] >> 29 )
286 | ( ctx->total[1] << 3 );
287 low = ( ctx->total[0] << 3 );
289 PUT_ULONG_BE( high, msglen, 0 );
290 PUT_ULONG_BE( low, msglen, 4 );
292 last = ctx->total[0] & 0x3F;
293 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
295 sha2_update( ctx, (unsigned char *) sha2_padding, padn );
296 sha2_update( ctx, msglen, 8 );
298 PUT_ULONG_BE( ctx->state[0], output, 0 );
299 PUT_ULONG_BE( ctx->state[1], output, 4 );
300 PUT_ULONG_BE( ctx->state[2], output, 8 );
301 PUT_ULONG_BE( ctx->state[3], output, 12 );
302 PUT_ULONG_BE( ctx->state[4], output, 16 );
303 PUT_ULONG_BE( ctx->state[5], output, 20 );
304 PUT_ULONG_BE( ctx->state[6], output, 24 );
306 if( ctx->is224 == 0 )
307 PUT_ULONG_BE( ctx->state[7], output, 28 );
311 * output = SHA-256( input buffer )
313 void sha2( unsigned char *input, int ilen,
314 unsigned char output[32], int is224 )
318 sha2_starts( &ctx, is224 );
319 sha2_update( &ctx, input, ilen );
320 sha2_finish( &ctx, output );
322 memset( &ctx, 0, sizeof( sha2_context ) );
326 * output = SHA-256( file contents )
328 int sha2_file( char *path, unsigned char output[32], int is224 )
333 unsigned char buf[1024];
335 if( ( f = fopen( path, "rb" ) ) == NULL )
338 sha2_starts( &ctx, is224 );
340 while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
341 sha2_update( &ctx, buf, (int) n );
343 sha2_finish( &ctx, output );
345 memset( &ctx, 0, sizeof( sha2_context ) );
347 if( ferror( f ) != 0 )
358 * SHA-256 HMAC context setup
360 void sha2_hmac_starts( sha2_context *ctx, unsigned char *key, int keylen,
364 unsigned char sum[32];
368 sha2( key, keylen, sum, is224 );
369 keylen = ( is224 ) ? 28 : 32;
373 memset( ctx->ipad, 0x36, 64 );
374 memset( ctx->opad, 0x5C, 64 );
376 for( i = 0; i < keylen; i++ )
378 ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
379 ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
382 sha2_starts( ctx, is224 );
383 sha2_update( ctx, ctx->ipad, 64 );
385 memset( sum, 0, sizeof( sum ) );
389 * SHA-256 HMAC process buffer
391 void sha2_hmac_update( sha2_context *ctx, unsigned char *input, int ilen )
393 sha2_update( ctx, input, ilen );
397 * SHA-256 HMAC final digest
399 void sha2_hmac_finish( sha2_context *ctx, unsigned char output[32] )
402 unsigned char tmpbuf[32];
405 hlen = ( is224 == 0 ) ? 32 : 28;
407 sha2_finish( ctx, tmpbuf );
408 sha2_starts( ctx, is224 );
409 sha2_update( ctx, ctx->opad, 64 );
410 sha2_update( ctx, tmpbuf, hlen );
411 sha2_finish( ctx, output );
413 memset( tmpbuf, 0, sizeof( tmpbuf ) );
417 * output = HMAC-SHA-256( hmac key, input buffer )
419 void sha2_hmac( unsigned char *key, int keylen,
420 unsigned char *input, int ilen,
421 unsigned char output[32], int is224 )
425 sha2_hmac_starts( &ctx, key, keylen, is224 );
426 sha2_hmac_update( &ctx, input, ilen );
427 sha2_hmac_finish( &ctx, output );
429 memset( &ctx, 0, sizeof( sha2_context ) );