"Fossies" - the Fresh Open Source Software Archive

Member "tin-2.4.3/libcanlock/src/sha224-256.c" (5 Jan 2018, 18257 Bytes) of package /linux/misc/tin-2.4.3.tar.xz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "sha224-256.c" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 2.4.2_vs_2.4.3.

    1 /************************* sha224-256.c ************************/
    2 /***************** See RFC 6234 for details. *******************/
    3 /* Copyright (c) 2011 IETF Trust and the persons identified as */
    4 /* authors of the code.  All rights reserved.                  */
    5 /* See sha.h for terms of use and redistribution.              */
    6 
    7 /*
    8  * Description:
    9  *   This file implements the Secure Hash Algorithms SHA-224 and
   10  *   SHA-256 as defined in the U.S. National Institute of Standards
   11  *   and Technology Federal Information Processing Standards
   12  *   Publication (FIPS PUB) 180-3 published in October 2008
   13  *   and formerly defined in its predecessors, FIPS PUB 180-1
   14  *   and FIP PUB 180-2.
   15  *
   16  *   A combined document showing all algorithms is available at
   17  *       http://csrc.nist.gov/publications/fips/
   18  *              fips180-3/fips180-3_final.pdf
   19  *
   20  *   The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit
   21  *   message digests for a given data stream.  It should take about
   22  *   2**n steps to find a message with the same digest as a given
   23  *   message and 2**(n/2) to find any two messages with the same
   24  *   digest, when n is the digest size in bits.  Therefore, this
   25  *   algorithm can serve as a means of providing a
   26  *   "fingerprint" for a message.
   27  *
   28  * Portability Issues:
   29  *   SHA-224 and SHA-256 are defined in terms of 32-bit "words".
   30  *   This code uses <stdint.h> (included via "sha.h") to define 32-
   31  *   and 8-bit unsigned integer types.  If your C compiler does not
   32  *   support 32-bit unsigned integers, this code is not
   33  *   appropriate.
   34  *
   35  * Caveats:
   36  *   SHA-224 and SHA-256 are designed to work with messages less
   37  *   than 2^64 bits long.  This implementation uses SHA224/256Input()
   38  *   to hash the bits that are a multiple of the size of an 8-bit
   39  *   octet, and then optionally uses SHA224/256FinalBits()
   40  *   to hash the final few bits of the input.
   41  */
   42 
   43 #include "canlock-private.h"
   44 #include "sha.h"
   45 #include "sha-private.h"
   46 
   47 /* Define the SHA shift, rotate left, and rotate right macros */
   48 #define SHA256_SHR(bits,word)      ((word) >> (bits))
   49 #if 0 /* not used */
   50 #define SHA256_ROTL(bits,word)                         \
   51   (((word) << (bits)) | ((word) >> (32-(bits))))
   52 #endif /* 0 */
   53 #define SHA256_ROTR(bits,word)                         \
   54   (((word) >> (bits)) | ((word) << (32-(bits))))
   55 
   56 /* Define the SHA SIGMA and sigma macros */
   57 #define SHA256_SIGMA0(word)   \
   58   (SHA256_ROTR( 2,word) ^ SHA256_ROTR(13,word) ^ SHA256_ROTR(22,word))
   59 #define SHA256_SIGMA1(word)   \
   60   (SHA256_ROTR( 6,word) ^ SHA256_ROTR(11,word) ^ SHA256_ROTR(25,word))
   61 #define SHA256_sigma0(word)   \
   62   (SHA256_ROTR( 7,word) ^ SHA256_ROTR(18,word) ^ SHA256_SHR( 3,word))
   63 #define SHA256_sigma1(word)   \
   64   (SHA256_ROTR(17,word) ^ SHA256_ROTR(19,word) ^ SHA256_SHR(10,word))
   65 
   66 /*
   67  * Add "length" to the length.
   68  * Set Corrupted when overflow has occurred.
   69  */
   70 static uint32_t addTemp;
   71 #define SHA224_256AddLength(context, length)               \
   72   (addTemp = (context)->Length_Low, (context)->Corrupted = \
   73     (((context)->Length_Low += (length)) < addTemp) &&     \
   74     (++(context)->Length_High == 0) ? shaInputTooLong :    \
   75                                       (context)->Corrupted )
   76 
   77 /* Local Function Prototypes */
   78 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0);
   79 static void SHA224_256ProcessMessageBlock(SHA256Context *context);
   80 static void SHA224_256Finalize(SHA256Context *context,
   81   uint8_t Pad_Byte);
   82 static void SHA224_256PadMessage(SHA256Context *context,
   83   uint8_t Pad_Byte);
   84 static int SHA224_256ResultN(SHA256Context *context,
   85   uint8_t Message_Digest[ ], int HashSize);
   86 
   87 /* Initial Hash Values: FIPS 180-3 section 5.3.2 */
   88 static uint32_t SHA224_H0[SHA256HashSize/4] = {
   89     0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939,
   90     0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4
   91 };
   92 
   93 /* Initial Hash Values: FIPS 180-3 section 5.3.3 */
   94 static uint32_t SHA256_H0[SHA256HashSize/4] = {
   95   0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A,
   96   0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19
   97 };
   98 
   99 /*
  100  * SHA224Reset
  101  *
  102  * Description:
  103  *   This function will initialize the SHA224Context in preparation
  104  *   for computing a new SHA224 message digest.
  105  *
  106  * Parameters:
  107  *   context: [in/out]
  108  *     The context to reset.
  109  *
  110  * Returns:
  111  *   sha Error Code.
  112  */
  113 int SHA224Reset(SHA224Context *context)
  114 {
  115   return SHA224_256Reset(context, SHA224_H0);
  116 }
  117 
  118 /*
  119  * SHA224Input
  120  *
  121  * Description:
  122  *   This function accepts an array of octets as the next portion
  123  *   of the message.
  124  *
  125  * Parameters:
  126  *   context: [in/out]
  127  *     The SHA context to update.
  128  *   message_array[ ]: [in]
  129  *     An array of octets representing the next portion of
  130  *     the message.
  131  *   length: [in]
  132  *     The length of the message in message_array.
  133  *
  134  * Returns:
  135  *   sha Error Code.
  136  *
  137  */
  138 int SHA224Input(SHA224Context *context, const uint8_t *message_array,
  139     unsigned int length)
  140 {
  141   return SHA256Input(context, message_array, length);
  142 }
  143 
  144 /*
  145  * SHA224FinalBits
  146  *
  147  * Description:
  148  *   This function will add in any final bits of the message.
  149  *
  150  * Parameters:
  151  *   context: [in/out]
  152  *     The SHA context to update.
  153  *   message_bits: [in]
  154  *     The final bits of the message, in the upper portion of the
  155  *     byte.  (Use 0b###00000 instead of 0b00000### to input the
  156  *     three bits ###.)
  157  *   length: [in]
  158  *     The number of bits in message_bits, between 1 and 7.
  159  *
  160  * Returns:
  161  *   sha Error Code.
  162  */
  163 int SHA224FinalBits(SHA224Context *context,
  164                     uint8_t message_bits, unsigned int length)
  165 {
  166   return SHA256FinalBits(context, message_bits, length);
  167 }
  168 
  169 /*
  170  * SHA224Result
  171  *
  172  * Description:
  173  *   This function will return the 224-bit message digest
  174  *   into the Message_Digest array provided by the caller.
  175  *   NOTE:
  176  *    The first octet of hash is stored in the element with index 0,
  177  *    the last octet of hash in the element with index 27.
  178  *
  179  * Parameters:
  180  *   context: [in/out]
  181  *     The context to use to calculate the SHA hash.
  182  *   Message_Digest[ ]: [out]
  183  *     Where the digest is returned.
  184  *
  185  * Returns:
  186  *   sha Error Code.
  187  */
  188 int SHA224Result(SHA224Context *context,
  189     uint8_t Message_Digest[SHA224HashSize])
  190 {
  191   return SHA224_256ResultN(context, Message_Digest, SHA224HashSize);
  192 }
  193 
  194 /*
  195  * SHA256Reset
  196  *
  197  * Description:
  198  *   This function will initialize the SHA256Context in preparation
  199  *   for computing a new SHA256 message digest.
  200  *
  201  * Parameters:
  202  *   context: [in/out]
  203  *     The context to reset.
  204  *
  205  * Returns:
  206  *   sha Error Code.
  207  */
  208 int SHA256Reset(SHA256Context *context)
  209 {
  210   return SHA224_256Reset(context, SHA256_H0);
  211 }
  212 
  213 /*
  214  * SHA256Input
  215  *
  216  * Description:
  217  *   This function accepts an array of octets as the next portion
  218  *   of the message.
  219  *
  220  * Parameters:
  221  *   context: [in/out]
  222  *     The SHA context to update.
  223  *   message_array[ ]: [in]
  224  *     An array of octets representing the next portion of
  225  *     the message.
  226  *   length: [in]
  227  *     The length of the message in message_array.
  228  *
  229  * Returns:
  230  *   sha Error Code.
  231  */
  232 int SHA256Input(SHA256Context *context, const uint8_t *message_array,
  233     unsigned int length)
  234 {
  235   if (!context) return shaNull;
  236   if (!length) return shaSuccess;
  237   if (!message_array) return shaNull;
  238   if (context->Computed) return context->Corrupted = shaStateError;
  239   if (context->Corrupted) return context->Corrupted;
  240 
  241   while (length--) {
  242     context->Message_Block[context->Message_Block_Index++] =
  243             *message_array;
  244 
  245     if ((SHA224_256AddLength(context, 8) == shaSuccess) &&
  246       (context->Message_Block_Index == SHA256_Message_Block_Size))
  247       SHA224_256ProcessMessageBlock(context);
  248 
  249     message_array++;
  250   }
  251 
  252   return context->Corrupted;
  253 
  254 }
  255 
  256 /*
  257  * SHA256FinalBits
  258  *
  259  * Description:
  260  *   This function will add in any final bits of the message.
  261  *
  262  * Parameters:
  263  *   context: [in/out]
  264  *     The SHA context to update.
  265  *   message_bits: [in]
  266  *     The final bits of the message, in the upper portion of the
  267  *     byte.  (Use 0b###00000 instead of 0b00000### to input the
  268  *     three bits ###.)
  269  *   length: [in]
  270  *     The number of bits in message_bits, between 1 and 7.
  271  *
  272  * Returns:
  273  *   sha Error Code.
  274  */
  275 int SHA256FinalBits(SHA256Context *context,
  276                     uint8_t message_bits, unsigned int length)
  277 {
  278   static uint8_t masks[8] = {
  279       /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
  280       /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
  281       /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
  282       /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE
  283   };
  284   static uint8_t markbit[8] = {
  285       /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
  286       /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
  287       /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
  288       /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
  289   };
  290 
  291   if (!context) return shaNull;
  292   if (!length) return shaSuccess;
  293   if (context->Corrupted) return context->Corrupted;
  294   if (context->Computed) return context->Corrupted = shaStateError;
  295   if (length >= 8) return context->Corrupted = shaBadParam;
  296 
  297   SHA224_256AddLength(context, length);
  298   SHA224_256Finalize(context, (uint8_t)
  299     ((message_bits & masks[length]) | markbit[length]));
  300 
  301   return context->Corrupted;
  302 }
  303 
  304 /*
  305  * SHA256Result
  306  *
  307  * Description:
  308  *   This function will return the 256-bit message digest
  309  *   into the Message_Digest array provided by the caller.
  310  *   NOTE:
  311  *    The first octet of hash is stored in the element with index 0,
  312  *    the last octet of hash in the element with index 31.
  313  *
  314  * Parameters:
  315  *   context: [in/out]
  316  *     The context to use to calculate the SHA hash.
  317  *   Message_Digest[ ]: [out]
  318  *     Where the digest is returned.
  319  *
  320  * Returns:
  321  *   sha Error Code.
  322  */
  323 int SHA256Result(SHA256Context *context,
  324                  uint8_t Message_Digest[SHA256HashSize])
  325 {
  326   return SHA224_256ResultN(context, Message_Digest, SHA256HashSize);
  327 }
  328 
  329 /*
  330  * SHA224_256Reset
  331  *
  332  * Description:
  333  *   This helper function will initialize the SHA256Context in
  334  *   preparation for computing a new SHA-224 or SHA-256 message digest.
  335  *
  336  * Parameters:
  337  *   context: [in/out]
  338  *     The context to reset.
  339  *   H0[ ]: [in]
  340  *     The initial hash value array to use.
  341  *
  342  * Returns:
  343  *   sha Error Code.
  344  */
  345 static int SHA224_256Reset(SHA256Context *context, uint32_t *H0)
  346 {
  347   if (!context) return shaNull;
  348 
  349   context->Length_High = context->Length_Low = 0;
  350   context->Message_Block_Index  = 0;
  351 
  352   context->Intermediate_Hash[0] = H0[0];
  353   context->Intermediate_Hash[1] = H0[1];
  354   context->Intermediate_Hash[2] = H0[2];
  355   context->Intermediate_Hash[3] = H0[3];
  356   context->Intermediate_Hash[4] = H0[4];
  357   context->Intermediate_Hash[5] = H0[5];
  358   context->Intermediate_Hash[6] = H0[6];
  359   context->Intermediate_Hash[7] = H0[7];
  360 
  361   context->Computed  = 0;
  362   context->Corrupted = shaSuccess;
  363 
  364   return shaSuccess;
  365 }
  366 
  367 /*
  368  * SHA224_256ProcessMessageBlock
  369  *
  370  * Description:
  371  *   This helper function will process the next 512 bits of the
  372  *   message stored in the Message_Block array.
  373  *
  374  * Parameters:
  375  *   context: [in/out]
  376  *     The SHA context to update.
  377  *
  378  * Returns:
  379  *   Nothing.
  380  *
  381  * Comments:
  382  *   Many of the variable names in this code, especially the
  383  *   single character names, were used because those were the
  384  *   names used in the Secure Hash Standard.
  385  */
  386 static void SHA224_256ProcessMessageBlock(SHA256Context *context)
  387 {
  388   /* Constants defined in FIPS 180-3, section 4.2.2 */
  389   static const uint32_t K[64] = {
  390       0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b,
  391       0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01,
  392       0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7,
  393       0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
  394       0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152,
  395       0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
  396       0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc,
  397       0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
  398       0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819,
  399       0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08,
  400       0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f,
  401       0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
  402       0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
  403   };
  404   int        t, t4;            /* Loop counter */
  405   uint32_t   temp1, temp2;     /* Temporary word value */
  406   uint32_t   W[64];            /* Word sequence. Security review: Location L5 */
  407   uint32_t   A, B, C, D, E, F, G, H;  /* Word buffers */
  408 
  409   /*
  410    * Initialize the first 16 words in the array W
  411    */
  412   for (t = t4 = 0; t < 16; t++, t4 += 4)
  413     W[t] = (((uint32_t)context->Message_Block[t4]) << 24) |
  414            (((uint32_t)context->Message_Block[t4 + 1]) << 16) |
  415            (((uint32_t)context->Message_Block[t4 + 2]) << 8) |
  416            (((uint32_t)context->Message_Block[t4 + 3]));
  417 
  418   for (t = 16; t < 64; t++)
  419     W[t] = SHA256_sigma1(W[t-2]) + W[t-7] +
  420         SHA256_sigma0(W[t-15]) + W[t-16];
  421 
  422   A = context->Intermediate_Hash[0];
  423   B = context->Intermediate_Hash[1];
  424   C = context->Intermediate_Hash[2];
  425   D = context->Intermediate_Hash[3];
  426   E = context->Intermediate_Hash[4];
  427   F = context->Intermediate_Hash[5];
  428   G = context->Intermediate_Hash[6];
  429   H = context->Intermediate_Hash[7];
  430 
  431   for (t = 0; t < 64; t++) {
  432     temp1 = H + SHA256_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
  433     temp2 = SHA256_SIGMA0(A) + SHA_Maj(A,B,C);
  434     H = G;
  435     G = F;
  436     F = E;
  437     E = D + temp1;
  438     D = C;
  439     C = B;
  440     B = A;
  441     A = temp1 + temp2;
  442   }
  443 
  444   cl_clear_secret((void *) W, sizeof(W), sizeof(W));
  445 
  446   context->Intermediate_Hash[0] += A;
  447   context->Intermediate_Hash[1] += B;
  448   context->Intermediate_Hash[2] += C;
  449   context->Intermediate_Hash[3] += D;
  450   context->Intermediate_Hash[4] += E;
  451   context->Intermediate_Hash[5] += F;
  452   context->Intermediate_Hash[6] += G;
  453   context->Intermediate_Hash[7] += H;
  454 
  455   context->Message_Block_Index = 0;
  456 }
  457 
  458 /*
  459  * SHA224_256Finalize
  460  *
  461  * Description:
  462  *   This helper function finishes off the digest calculations.
  463  *
  464  * Parameters:
  465  *   context: [in/out]
  466  *     The SHA context to update.
  467  *   Pad_Byte: [in]
  468  *     The last byte to add to the message block before the 0-padding
  469  *     and length.  This will contain the last bits of the message
  470  *     followed by another single bit.  If the message was an
  471  *     exact multiple of 8-bits long, Pad_Byte will be 0x80.
  472  *
  473  * Returns:
  474  *   sha Error Code.
  475  */
  476 static void SHA224_256Finalize(SHA256Context *context,
  477     uint8_t Pad_Byte)
  478 {
  479   int i;
  480   SHA224_256PadMessage(context, Pad_Byte);
  481   /* message may be sensitive, so clear it out */
  482   for (i = 0; i < SHA256_Message_Block_Size; ++i)
  483     context->Message_Block[i] = 0;
  484   context->Length_High = 0;     /* and clear length */
  485   context->Length_Low = 0;
  486   context->Computed = 1;
  487 }
  488 
  489 /*
  490  * SHA224_256PadMessage
  491  *
  492  * Description:
  493  *   According to the standard, the message must be padded to the next
  494  *   even multiple of 512 bits.  The first padding bit must be a '1'.
  495  *   The last 64 bits represent the length of the original message.
  496  *   All bits in between should be 0.  This helper function will pad
  497  *   the message according to those rules by filling the
  498  *   Message_Block array accordingly.  When it returns, it can be
  499  *   assumed that the message digest has been computed.
  500  *
  501  * Parameters:
  502  *   context: [in/out]
  503  *     The context to pad.
  504  *   Pad_Byte: [in]
  505  *     The last byte to add to the message block before the 0-padding
  506  *     and length.  This will contain the last bits of the message
  507  *     followed by another single bit.  If the message was an
  508  *     exact multiple of 8-bits long, Pad_Byte will be 0x80.
  509  *
  510  * Returns:
  511  *   Nothing.
  512  */
  513 static void SHA224_256PadMessage(SHA256Context *context,
  514     uint8_t Pad_Byte)
  515 {
  516   /*
  517    * Check to see if the current message block is too small to hold
  518    * the initial padding bits and length.  If so, we will pad the
  519    * block, process it, and then continue padding into a second
  520    * block.
  521    */
  522   if (context->Message_Block_Index >= (SHA256_Message_Block_Size-8)) {
  523     context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
  524     while (context->Message_Block_Index < SHA256_Message_Block_Size)
  525       context->Message_Block[context->Message_Block_Index++] = 0;
  526     SHA224_256ProcessMessageBlock(context);
  527   } else
  528     context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
  529 
  530   while (context->Message_Block_Index < (SHA256_Message_Block_Size-8))
  531     context->Message_Block[context->Message_Block_Index++] = 0;
  532 
  533   /*
  534    * Store the message length as the last 8 octets
  535    */
  536   context->Message_Block[56] = (uint8_t)(context->Length_High >> 24);
  537   context->Message_Block[57] = (uint8_t)(context->Length_High >> 16);
  538   context->Message_Block[58] = (uint8_t)(context->Length_High >> 8);
  539   context->Message_Block[59] = (uint8_t)(context->Length_High);
  540   context->Message_Block[60] = (uint8_t)(context->Length_Low >> 24);
  541   context->Message_Block[61] = (uint8_t)(context->Length_Low >> 16);
  542   context->Message_Block[62] = (uint8_t)(context->Length_Low >> 8);
  543   context->Message_Block[63] = (uint8_t)(context->Length_Low);
  544 
  545   SHA224_256ProcessMessageBlock(context);
  546 }
  547 
  548 /*
  549  * SHA224_256ResultN
  550  *
  551  * Description:
  552  *   This helper function will return the 224-bit or 256-bit message
  553  *   digest into the Message_Digest array provided by the caller.
  554  *   NOTE:
  555  *    The first octet of hash is stored in the element with index 0,
  556  *    the last octet of hash in the element with index 27/31.
  557  *
  558  * Parameters:
  559  *   context: [in/out]
  560  *     The context to use to calculate the SHA hash.
  561  *   Message_Digest[ ]: [out]
  562  *     Where the digest is returned.
  563  *   HashSize: [in]
  564  *     The size of the hash, either 28 or 32.
  565  *
  566  * Returns:
  567  *   sha Error Code.
  568  */
  569 static int SHA224_256ResultN(SHA256Context *context,
  570     uint8_t Message_Digest[ ], int HashSize)
  571 {
  572   int i;
  573 
  574   if (!context) return shaNull;
  575   if (!Message_Digest) return shaNull;
  576   if (context->Corrupted) return context->Corrupted;
  577 
  578   if (!context->Computed)
  579     SHA224_256Finalize(context, 0x80);
  580 
  581   for (i = 0; i < HashSize; ++i)
  582     Message_Digest[i] = (uint8_t)
  583       (context->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) ));
  584 
  585   return shaSuccess;
  586 }