1/* sha256.c
2**
3** Copyright 2013, The Android Open Source Project
4**
5** Redistribution and use in source and binary forms, with or without
6** modification, are permitted provided that the following conditions are met:
7**     * Redistributions of source code must retain the above copyright
8**       notice, this list of conditions and the following disclaimer.
9**     * Redistributions in binary form must reproduce the above copyright
10**       notice, this list of conditions and the following disclaimer in the
11**       documentation and/or other materials provided with the distribution.
12**     * Neither the name of Google Inc. nor the names of its contributors may
13**       be used to endorse or promote products derived from this software
14**       without specific prior written permission.
15**
16** THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR
17** IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
18** MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
19** EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
20** SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
21** PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
22** OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
23** WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
24** OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
25** ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26*/
27
28// Optimized for minimal code size.
29
30#include "mincrypt/sha256.h"
31
32#include <stdio.h>
33#include <string.h>
34#include <stdint.h>
35
36#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
37#define shr(value, bits) ((value) >> (bits))
38
39static const uint32_t K[64] = {
40    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
41    0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
42    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
43    0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
44    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
45    0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
46    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
47    0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
48    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
49    0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
50    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
51    0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
52    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
53    0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
54    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
55    0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 };
56
57static void SHA256_Transform(SHA256_CTX* ctx) {
58    uint32_t W[64];
59    uint32_t A, B, C, D, E, F, G, H;
60    uint8_t* p = ctx->buf;
61    int t;
62
63    for(t = 0; t < 16; ++t) {
64        uint32_t tmp =  *p++ << 24;
65        tmp |= *p++ << 16;
66        tmp |= *p++ << 8;
67        tmp |= *p++;
68        W[t] = tmp;
69    }
70
71    for(; t < 64; t++) {
72        uint32_t s0 = ror(W[t-15], 7) ^ ror(W[t-15], 18) ^ shr(W[t-15], 3);
73        uint32_t s1 = ror(W[t-2], 17) ^ ror(W[t-2], 19) ^ shr(W[t-2], 10);
74        W[t] = W[t-16] + s0 + W[t-7] + s1;
75    }
76
77    A = ctx->state[0];
78    B = ctx->state[1];
79    C = ctx->state[2];
80    D = ctx->state[3];
81    E = ctx->state[4];
82    F = ctx->state[5];
83    G = ctx->state[6];
84    H = ctx->state[7];
85
86    for(t = 0; t < 64; t++) {
87        uint32_t s0 = ror(A, 2) ^ ror(A, 13) ^ ror(A, 22);
88        uint32_t maj = (A & B) ^ (A & C) ^ (B & C);
89        uint32_t t2 = s0 + maj;
90        uint32_t s1 = ror(E, 6) ^ ror(E, 11) ^ ror(E, 25);
91        uint32_t ch = (E & F) ^ ((~E) & G);
92        uint32_t t1 = H + s1 + ch + K[t] + W[t];
93
94        H = G;
95        G = F;
96        F = E;
97        E = D + t1;
98        D = C;
99        C = B;
100        B = A;
101        A = t1 + t2;
102    }
103
104    ctx->state[0] += A;
105    ctx->state[1] += B;
106    ctx->state[2] += C;
107    ctx->state[3] += D;
108    ctx->state[4] += E;
109    ctx->state[5] += F;
110    ctx->state[6] += G;
111    ctx->state[7] += H;
112}
113
114static const HASH_VTAB SHA256_VTAB = {
115    SHA256_init,
116    SHA256_update,
117    SHA256_final,
118    SHA256_hash,
119    SHA256_DIGEST_SIZE
120};
121
122void SHA256_init(SHA256_CTX* ctx) {
123    ctx->f = &SHA256_VTAB;
124    ctx->state[0] = 0x6a09e667;
125    ctx->state[1] = 0xbb67ae85;
126    ctx->state[2] = 0x3c6ef372;
127    ctx->state[3] = 0xa54ff53a;
128    ctx->state[4] = 0x510e527f;
129    ctx->state[5] = 0x9b05688c;
130    ctx->state[6] = 0x1f83d9ab;
131    ctx->state[7] = 0x5be0cd19;
132    ctx->count = 0;
133}
134
135
136void SHA256_update(SHA256_CTX* ctx, const void* data, int len) {
137    int i = (int) (ctx->count & 63);
138    const uint8_t* p = (const uint8_t*)data;
139
140    ctx->count += len;
141
142    while (len--) {
143        ctx->buf[i++] = *p++;
144        if (i == 64) {
145            SHA256_Transform(ctx);
146            i = 0;
147        }
148    }
149}
150
151
152const uint8_t* SHA256_final(SHA256_CTX* ctx) {
153    uint8_t *p = ctx->buf;
154    uint64_t cnt = ctx->count * 8;
155    int i;
156
157    SHA256_update(ctx, (uint8_t*)"\x80", 1);
158    while ((ctx->count & 63) != 56) {
159        SHA256_update(ctx, (uint8_t*)"\0", 1);
160    }
161    for (i = 0; i < 8; ++i) {
162        uint8_t tmp = (uint8_t) (cnt >> ((7 - i) * 8));
163        SHA256_update(ctx, &tmp, 1);
164    }
165
166    for (i = 0; i < 8; i++) {
167        uint32_t tmp = ctx->state[i];
168        *p++ = tmp >> 24;
169        *p++ = tmp >> 16;
170        *p++ = tmp >> 8;
171        *p++ = tmp >> 0;
172    }
173
174    return ctx->buf;
175}
176
177/* Convenience function */
178const uint8_t* SHA256_hash(const void* data, int len, uint8_t* digest) {
179    SHA256_CTX ctx;
180    SHA256_init(&ctx);
181    SHA256_update(&ctx, data, len);
182    memcpy(digest, SHA256_final(&ctx), SHA256_DIGEST_SIZE);
183    return digest;
184}
185