1 /* sha256.c - TinyCrypt SHA-256 crypto hash algorithm implementation */
2
3 /*
4 * Copyright (C) 2017 by Intel Corporation, All Rights Reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * - Redistributions of source code must retain the above copyright notice,
10 * this list of conditions and the following disclaimer.
11 *
12 * - Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * - Neither the name of Intel Corporation nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include <tinycrypt/sha256.h>
34 #include <tinycrypt/constants.h>
35 #include <tinycrypt/utils.h>
36
37 static void compress(unsigned int *iv, const uint8_t *data);
38
tc_sha256_init(TCSha256State_t s)39 int tc_sha256_init(TCSha256State_t s)
40 {
41 /* input sanity check: */
42 if (s == (TCSha256State_t) 0) {
43 return TC_CRYPTO_FAIL;
44 }
45
46 /*
47 * Setting the initial state values.
48 * These values correspond to the first 32 bits of the fractional parts
49 * of the square roots of the first 8 primes: 2, 3, 5, 7, 11, 13, 17
50 * and 19.
51 */
52 _set((uint8_t *) s, 0x00, sizeof(*s));
53 s->iv[0] = 0x6a09e667;
54 s->iv[1] = 0xbb67ae85;
55 s->iv[2] = 0x3c6ef372;
56 s->iv[3] = 0xa54ff53a;
57 s->iv[4] = 0x510e527f;
58 s->iv[5] = 0x9b05688c;
59 s->iv[6] = 0x1f83d9ab;
60 s->iv[7] = 0x5be0cd19;
61
62 return TC_CRYPTO_SUCCESS;
63 }
64
tc_sha256_update(TCSha256State_t s,const uint8_t * data,size_t datalen)65 int tc_sha256_update(TCSha256State_t s, const uint8_t *data, size_t datalen)
66 {
67 /* input sanity check: */
68 if (s == (TCSha256State_t) 0 ||
69 data == (void *) 0) {
70 return TC_CRYPTO_FAIL;
71 } else if (datalen == 0) {
72 return TC_CRYPTO_SUCCESS;
73 }
74
75 while (datalen-- > 0) {
76 s->leftover[s->leftover_offset++] = *(data++);
77 if (s->leftover_offset >= TC_SHA256_BLOCK_SIZE) {
78 compress(s->iv, s->leftover);
79 s->leftover_offset = 0;
80 s->bits_hashed += (TC_SHA256_BLOCK_SIZE << 3);
81 }
82 }
83
84 return TC_CRYPTO_SUCCESS;
85 }
86
tc_sha256_final(uint8_t * digest,TCSha256State_t s)87 int tc_sha256_final(uint8_t *digest, TCSha256State_t s)
88 {
89 unsigned int i;
90
91 /* input sanity check: */
92 if (digest == (uint8_t *) 0 ||
93 s == (TCSha256State_t) 0) {
94 return TC_CRYPTO_FAIL;
95 }
96
97 s->bits_hashed += (s->leftover_offset << 3);
98
99 s->leftover[s->leftover_offset++] = 0x80; /* always room for one byte */
100 if (s->leftover_offset > (sizeof(s->leftover) - 8)) {
101 /* there is not room for all the padding in this block */
102 _set(s->leftover + s->leftover_offset, 0x00,
103 sizeof(s->leftover) - s->leftover_offset);
104 compress(s->iv, s->leftover);
105 s->leftover_offset = 0;
106 }
107
108 /* add the padding and the length in big-Endian format */
109 _set(s->leftover + s->leftover_offset, 0x00,
110 sizeof(s->leftover) - 8 - s->leftover_offset);
111 s->leftover[sizeof(s->leftover) - 1] = (uint8_t)(s->bits_hashed);
112 s->leftover[sizeof(s->leftover) - 2] = (uint8_t)(s->bits_hashed >> 8);
113 s->leftover[sizeof(s->leftover) - 3] = (uint8_t)(s->bits_hashed >> 16);
114 s->leftover[sizeof(s->leftover) - 4] = (uint8_t)(s->bits_hashed >> 24);
115 s->leftover[sizeof(s->leftover) - 5] = (uint8_t)(s->bits_hashed >> 32);
116 s->leftover[sizeof(s->leftover) - 6] = (uint8_t)(s->bits_hashed >> 40);
117 s->leftover[sizeof(s->leftover) - 7] = (uint8_t)(s->bits_hashed >> 48);
118 s->leftover[sizeof(s->leftover) - 8] = (uint8_t)(s->bits_hashed >> 56);
119
120 /* hash the padding and length */
121 compress(s->iv, s->leftover);
122
123 /* copy the iv out to digest */
124 for (i = 0; i < TC_SHA256_STATE_BLOCKS; ++i) {
125 unsigned int t = *((unsigned int *) &s->iv[i]);
126 *digest++ = (uint8_t)(t >> 24);
127 *digest++ = (uint8_t)(t >> 16);
128 *digest++ = (uint8_t)(t >> 8);
129 *digest++ = (uint8_t)(t);
130 }
131
132 /* destroy the current state */
133 _set(s, 0, sizeof(*s));
134
135 return TC_CRYPTO_SUCCESS;
136 }
137
138 /*
139 * Initializing SHA-256 Hash constant words K.
140 * These values correspond to the first 32 bits of the fractional parts of the
141 * cube roots of the first 64 primes between 2 and 311.
142 */
143 static const unsigned int k256[64] = {
144 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
145 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
146 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
147 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
148 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
149 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
150 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
151 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
152 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
153 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
154 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
155 };
156
ROTR(unsigned int a,unsigned int n)157 static inline unsigned int ROTR(unsigned int a, unsigned int n)
158 {
159 return (((a) >> n) | ((a) << (32 - n)));
160 }
161
162 #define Sigma0(a)(ROTR((a), 2) ^ ROTR((a), 13) ^ ROTR((a), 22))
163 #define Sigma1(a)(ROTR((a), 6) ^ ROTR((a), 11) ^ ROTR((a), 25))
164 #define sigma0(a)(ROTR((a), 7) ^ ROTR((a), 18) ^ ((a) >> 3))
165 #define sigma1(a)(ROTR((a), 17) ^ ROTR((a), 19) ^ ((a) >> 10))
166
167 #define Ch(a, b, c)(((a) & (b)) ^ ((~(a)) & (c)))
168 #define Maj(a, b, c)(((a) & (b)) ^ ((a) & (c)) ^ ((b) & (c)))
169
BigEndian(const uint8_t ** c)170 static inline unsigned int BigEndian(const uint8_t **c)
171 {
172 unsigned int n = 0;
173
174 n = (((unsigned int)(*((*c)++))) << 24);
175 n |= ((unsigned int)(*((*c)++)) << 16);
176 n |= ((unsigned int)(*((*c)++)) << 8);
177 n |= ((unsigned int)(*((*c)++)));
178 return n;
179 }
180
compress(unsigned int * iv,const uint8_t * data)181 static void compress(unsigned int *iv, const uint8_t *data)
182 {
183 unsigned int a, b, c, d, e, f, g, h;
184 unsigned int s0, s1;
185 unsigned int t1, t2;
186 unsigned int work_space[16];
187 unsigned int n;
188 unsigned int i;
189
190 a = iv[0]; b = iv[1]; c = iv[2]; d = iv[3];
191 e = iv[4]; f = iv[5]; g = iv[6]; h = iv[7];
192
193 for (i = 0; i < 16; ++i) {
194 n = BigEndian(&data);
195 t1 = work_space[i] = n;
196 t1 += h + Sigma1(e) + Ch(e, f, g) + k256[i];
197 t2 = Sigma0(a) + Maj(a, b, c);
198 h = g; g = f; f = e; e = d + t1;
199 d = c; c = b; b = a; a = t1 + t2;
200 }
201
202 for ( ; i < 64; ++i) {
203 s0 = work_space[(i + 1) & 0x0f];
204 s0 = sigma0(s0);
205 s1 = work_space[(i + 14) & 0x0f];
206 s1 = sigma1(s1);
207
208 t1 = work_space[i & 0xf] += s0 + s1 + work_space[(i + 9) & 0xf];
209 t1 += h + Sigma1(e) + Ch(e, f, g) + k256[i];
210 t2 = Sigma0(a) + Maj(a, b, c);
211 h = g; g = f; f = e; e = d + t1;
212 d = c; c = b; b = a; a = t1 + t2;
213 }
214
215 iv[0] += a; iv[1] += b; iv[2] += c; iv[3] += d;
216 iv[4] += e; iv[5] += f; iv[6] += g; iv[7] += h;
217 }
218
