crypto_sha256.c

00001 /*
00002 MiniTLS - A super trimmed down TLS/SSL Library for embedded devices
00003 Author: Donatien Garnier
00004 Copyright (C) 2013-2014 AppNearMe Ltd
00005 
00006 This program is free software; you can redistribute it and/or
00007 modify it under the terms of the GNU General Public License
00008 as published by the Free Software Foundation; either version 2
00009 of the License, or (at your option) any later version.
00010 
00011 This program is distributed in the hope that it will be useful,
00012 but WITHOUT ANY WARRANTY; without even the implied warranty of
00013 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00014 GNU General Public License for more details.
00015 
00016 You should have received a copy of the GNU General Public License
00017 along with this program; if not, write to the Free Software
00018 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
00019 *//**
00020  * \file crypto_sha256.c
00021  * \copyright Copyright (c) AppNearMe Ltd 2013
00022  * \author Donatien Garnier
00023  */
00024 
00025 #define __DEBUG__ 0
00026 #define __MODULE__ "crypto_sha256.c"
00027 
00028 //This module has been adapted from libtomcrypt (http://libtom.org/)
00029 
00030 #include "core/fwk.h"
00031 #include "crypto_sha256.h"
00032 #include "inc/minitls_errors.h"
00033 #include "crypto_macros.h"
00034 
00035 #define fatal(x) do{ ERR("Fatal error %s - %d", #x, x); while(1); }while(0)
00036 
00037 static void crypto_sha256_compress(crypto_sha256_t* hash, unsigned char *buf);
00038 
00039 void crypto_sha256_init(crypto_sha256_t* hash)
00040 {
00041   hash->state[0] = 0x6A09E667UL;
00042   hash->state[1] = 0xBB67AE85UL;
00043   hash->state[2] = 0x3C6EF372UL;
00044   hash->state[3] = 0xA54FF53AUL;
00045   hash->state[4] = 0x510E527FUL;
00046   hash->state[5] = 0x9B05688CUL;
00047   hash->state[6] = 0x1F83D9ABUL;
00048   hash->state[7] = 0x5BE0CD19UL;
00049   hash->curlen = 0;
00050   hash->length = 0;
00051 }
00052 
00053 void crypto_sha256_update(crypto_sha256_t* hash, const uint8_t* data, size_t size)
00054 {
00055   unsigned long n;
00056 
00057   if ( hash->curlen > sizeof( hash->buf)) {
00058      //return CRYPTO_ERR_PARAMETERS;
00059     fatal(CRYPTO_ERR_PARAMETERS);
00060   }
00061   while (size > 0) {
00062       if ( hash->curlen == 0 && size >= 64) {
00063          crypto_sha256_compress(hash, (unsigned char *)data);
00064          hash->length += 64 * 8;
00065          data             += 64;
00066          size          -= 64;
00067       } else {
00068          n = ( ((size)<((64 -  hash->curlen)))?(size):((64 -  hash->curlen)) );
00069          memcpy( hash->buf + hash->curlen, data, (size_t)n);
00070          hash->curlen += n;
00071          data         += n;
00072          size         -= n;
00073          if ( hash->curlen == 64) {
00074             crypto_sha256_compress (hash,  hash->buf);
00075              hash->length += 8*64;
00076              hash->curlen = 0;
00077          }
00078      }
00079   }
00080 }
00081 
00082 void crypto_sha256_end(crypto_sha256_t* hash, uint8_t* out)
00083 {
00084   int i;
00085 
00086   if (hash->curlen >= sizeof(hash->buf)) {
00087     fatal(CRYPTO_ERR_PARAMETERS);
00088   }
00089 
00090   /* increase the length of the message */
00091   hash->length += hash->curlen * 8;
00092 
00093   /* append the '1' bit */
00094   hash->buf[hash->curlen++] = (unsigned char)0x80;
00095 
00096   /* if the length is currently above 56 bytes we append zeros
00097    * then compress.  Then we can fall back to padding zeros and length
00098    * encoding like normal.
00099    */
00100   if (hash->curlen > 56) {
00101       while (hash->curlen < 64) {
00102           hash->buf[hash->curlen++] = (unsigned char)0;
00103       }
00104       crypto_sha256_compress(hash, hash->buf);
00105       hash->curlen = 0;
00106   }
00107 
00108   /* pad upto 56 bytes of zeroes */
00109   while (hash->curlen < 56) {
00110       hash->buf[hash->curlen++] = (unsigned char)0;
00111   }
00112 
00113   /* store length */
00114   STORE64H(hash->length, hash->buf+56);
00115   crypto_sha256_compress(hash, hash->buf);
00116 
00117   /* copy output */
00118   for (i = 0; i < 8; i++) {
00119       STORE32H(hash->state[i], out+(4*i));
00120   }
00121   #ifdef CRYPT_CLEAN_STACK
00122     zeromem(hash, sizeof(hash));
00123   #endif
00124 }
00125 
00126 void crypto_sha256_copy(crypto_sha256_t* hashTo, crypto_sha256_t* hashFrom)
00127 {
00128   memcpy(hashTo, hashFrom, sizeof(crypto_sha256_t));
00129 }
00130 
00131 /* Various logical functions */
00132 #define Ch(x,y,z)       (z ^ (x & (y ^ z)))
00133 #define Maj(x,y,z)      (((x | y) & z) | (x & y))
00134 #define S(x, n)         RORc((x),(n))
00135 #define R(x, n)         (((x)&0xFFFFFFFFUL)>>(n))
00136 #define Sigma0(x)       (S(x, 2) ^ S(x, 13) ^ S(x, 22))
00137 #define Sigma1(x)       (S(x, 6) ^ S(x, 11) ^ S(x, 25))
00138 #define Gamma0(x)       (S(x, 7) ^ S(x, 18) ^ R(x, 3))
00139 #define Gamma1(x)       (S(x, 17) ^ S(x, 19) ^ R(x, 10))
00140 
00141 void crypto_sha256_compress(crypto_sha256_t* hash, unsigned char *buf)
00142 {
00143   ulong32 S[8], W[64], t0, t1;
00144 #ifdef LTC_SMALL_CODE
00145   ulong32 t;
00146 #endif
00147   int i;
00148 
00149   /* copy state into S */
00150   for (i = 0; i < 8; i++) {
00151       S[i] = hash->state[i];
00152   }
00153 
00154   /* copy the state into 512-bits into W[0..15] */
00155   for (i = 0; i < 16; i++) {
00156       LOAD32H(W[i], buf + (4*i));
00157   }
00158 
00159   /* fill W[16..63] */
00160   for (i = 16; i < 64; i++) {
00161       W[i] = Gamma1(W[i - 2]) + W[i - 7] + Gamma0(W[i - 15]) + W[i - 16];
00162   }
00163 
00164   /* Compress */
00165 #ifdef LTC_SMALL_CODE
00166 #define RND(a,b,c,d,e,f,g,h,i)                         \
00167    t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i];   \
00168    t1 = Sigma0(a) + Maj(a, b, c);                    \
00169    d += t0;                                          \
00170    h  = t0 + t1;
00171 
00172    for (i = 0; i < 64; ++i) {
00173        RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],i);
00174        t = S[7]; S[7] = S[6]; S[6] = S[5]; S[5] = S[4];
00175        S[4] = S[3]; S[3] = S[2]; S[2] = S[1]; S[1] = S[0]; S[0] = t;
00176    }
00177 #else
00178 #define RND(a,b,c,d,e,f,g,h,i,ki)                    \
00179    t0 = h + Sigma1(e) + Ch(e, f, g) + ki + W[i];   \
00180    t1 = Sigma0(a) + Maj(a, b, c);                  \
00181    d += t0;                                        \
00182    h  = t0 + t1;
00183 
00184   RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],0,0x428a2f98);
00185   RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],1,0x71374491);
00186   RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],2,0xb5c0fbcf);
00187   RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],3,0xe9b5dba5);
00188   RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],4,0x3956c25b);
00189   RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],5,0x59f111f1);
00190   RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],6,0x923f82a4);
00191   RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],7,0xab1c5ed5);
00192   RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],8,0xd807aa98);
00193   RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],9,0x12835b01);
00194   RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],10,0x243185be);
00195   RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],11,0x550c7dc3);
00196   RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],12,0x72be5d74);
00197   RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],13,0x80deb1fe);
00198   RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],14,0x9bdc06a7);
00199   RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],15,0xc19bf174);
00200   RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],16,0xe49b69c1);
00201   RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],17,0xefbe4786);
00202   RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],18,0x0fc19dc6);
00203   RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],19,0x240ca1cc);
00204   RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],20,0x2de92c6f);
00205   RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],21,0x4a7484aa);
00206   RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],22,0x5cb0a9dc);
00207   RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],23,0x76f988da);
00208   RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],24,0x983e5152);
00209   RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],25,0xa831c66d);
00210   RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],26,0xb00327c8);
00211   RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],27,0xbf597fc7);
00212   RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],28,0xc6e00bf3);
00213   RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],29,0xd5a79147);
00214   RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],30,0x06ca6351);
00215   RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],31,0x14292967);
00216   RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],32,0x27b70a85);
00217   RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],33,0x2e1b2138);
00218   RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],34,0x4d2c6dfc);
00219   RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],35,0x53380d13);
00220   RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],36,0x650a7354);
00221   RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],37,0x766a0abb);
00222   RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],38,0x81c2c92e);
00223   RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],39,0x92722c85);
00224   RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],40,0xa2bfe8a1);
00225   RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],41,0xa81a664b);
00226   RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],42,0xc24b8b70);
00227   RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],43,0xc76c51a3);
00228   RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],44,0xd192e819);
00229   RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],45,0xd6990624);
00230   RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],46,0xf40e3585);
00231   RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],47,0x106aa070);
00232   RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],48,0x19a4c116);
00233   RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],49,0x1e376c08);
00234   RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],50,0x2748774c);
00235   RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],51,0x34b0bcb5);
00236   RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],52,0x391c0cb3);
00237   RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],53,0x4ed8aa4a);
00238   RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],54,0x5b9cca4f);
00239   RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],55,0x682e6ff3);
00240   RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],56,0x748f82ee);
00241   RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],57,0x78a5636f);
00242   RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],58,0x84c87814);
00243   RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],59,0x8cc70208);
00244   RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],60,0x90befffa);
00245   RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],61,0xa4506ceb);
00246   RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],62,0xbef9a3f7);
00247   RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],63,0xc67178f2);
00248 
00249 #undef RND
00250 
00251 #endif
00252 
00253   /* feedback */
00254   for (i = 0; i < 8; i++) {
00255       hash->state[i] = hash->state[i] + S[i];
00256   }
00257 
00258 #if CRYPT_CLEAN_STACK
00259   burn_stack(sizeof(ulong32) * 74);
00260 #endif
00261 }