1 /* SHA-256 and SHA-512 implementation based on code by Oliver Gay
2  * <olivier.gay@a3.epfl.ch> under a BSD-style license. See below.
3  */
4 
5 /*
6  * FIPS 180-2 SHA-224/256/384/512 implementation
7  * Last update: 02/02/2007
8  * Issue date:  04/30/2005
9  *
10  * Copyright (C) 2005, 2007 Olivier Gay <olivier.gay@a3.epfl.ch>
11  * All rights reserved.
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions
15  * are met:
16  * 1. Redistributions of source code must retain the above copyright
17  *    notice, this list of conditions and the following disclaimer.
18  * 2. Redistributions in binary form must reproduce the above copyright
19  *    notice, this list of conditions and the following disclaimer in the
20  *    documentation and/or other materials provided with the distribution.
21  * 3. Neither the name of the project nor the names of its contributors
22  *    may be used to endorse or promote products derived from this software
23  *    without specific prior written permission.
24  *
25  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
26  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
29  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35  * SUCH DAMAGE.
36  */
37 
38 #include "2sysincludes.h"
39 #include "2common.h"
40 #include "2sha.h"
41 
42 #define SHFR(x, n)    (x >> n)
43 #define ROTR(x, n)   ((x >> n) | (x << ((sizeof(x) << 3) - n)))
44 #define ROTL(x, n)   ((x << n) | (x >> ((sizeof(x) << 3) - n)))
45 #define CH(x, y, z)  ((x & y) ^ (~x & z))
46 #define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
47 
48 #define SHA256_F1(x) (ROTR(x,  2) ^ ROTR(x, 13) ^ ROTR(x, 22))
49 #define SHA256_F2(x) (ROTR(x,  6) ^ ROTR(x, 11) ^ ROTR(x, 25))
50 #define SHA256_F3(x) (ROTR(x,  7) ^ ROTR(x, 18) ^ SHFR(x,  3))
51 #define SHA256_F4(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHFR(x, 10))
52 
53 #define UNPACK32(x, str)				\
54 	{						\
55 		*((str) + 3) = (uint8_t) ((x)      );	\
56 		*((str) + 2) = (uint8_t) ((x) >>  8);	\
57 		*((str) + 1) = (uint8_t) ((x) >> 16);	\
58 		*((str) + 0) = (uint8_t) ((x) >> 24);	\
59 	}
60 
61 #define PACK32(str, x)						\
62 	{							\
63 		*(x) =   ((uint32_t) *((str) + 3)      )	\
64 			| ((uint32_t) *((str) + 2) <<  8)       \
65 			| ((uint32_t) *((str) + 1) << 16)       \
66 			| ((uint32_t) *((str) + 0) << 24);      \
67 	}
68 
69 /* Macros used for loops unrolling */
70 
71 #define SHA256_SCR(i)						\
72 	{							\
73 		w[i] =  SHA256_F4(w[i -  2]) + w[i -  7]	\
74 			+ SHA256_F3(w[i - 15]) + w[i - 16];	\
75 	}
76 
77 #define SHA256_EXP(a, b, c, d, e, f, g, h, j)				\
78 	{								\
79 		t1 = wv[h] + SHA256_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) \
80 			+ sha256_k[j] + w[j];				\
81 		t2 = SHA256_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]);       \
82 		wv[d] += t1;                                            \
83 		wv[h] = t1 + t2;                                        \
84 	}
85 
86 static const uint32_t sha256_h0[8] = {
87 	0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
88 	0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
89 };
90 
91 static const uint32_t sha256_k[64] = {
92 	0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
93 	0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
94 	0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
95 	0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
96 	0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
97 	0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
98 	0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
99 	0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
100 	0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
101 	0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
102 	0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
103 	0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
104 	0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
105 	0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
106 	0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
107 	0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
108 };
109 
110 /* SHA-256 implementation */
vb2_sha256_init(struct vb2_sha256_context * ctx)111 void vb2_sha256_init(struct vb2_sha256_context *ctx)
112 {
113 #ifndef UNROLL_LOOPS
114 	int i;
115 	for (i = 0; i < 8; i++) {
116 		ctx->h[i] = sha256_h0[i];
117 	}
118 #else
119 	ctx->h[0] = sha256_h0[0]; ctx->h[1] = sha256_h0[1];
120 	ctx->h[2] = sha256_h0[2]; ctx->h[3] = sha256_h0[3];
121 	ctx->h[4] = sha256_h0[4]; ctx->h[5] = sha256_h0[5];
122 	ctx->h[6] = sha256_h0[6]; ctx->h[7] = sha256_h0[7];
123 #endif /* !UNROLL_LOOPS */
124 
125 	ctx->size = 0;
126 	ctx->total_size = 0;
127 }
128 
vb2_sha256_transform(struct vb2_sha256_context * ctx,const uint8_t * message,unsigned int block_nb)129 static void vb2_sha256_transform(struct vb2_sha256_context *ctx,
130 				 const uint8_t *message,
131 				 unsigned int block_nb)
132 {
133 	/* Note that these arrays use 72*4=288 bytes of stack */
134 	uint32_t w[64];
135 	uint32_t wv[8];
136 	uint32_t t1, t2;
137 	const unsigned char *sub_block;
138 	int i;
139 
140 #ifndef UNROLL_LOOPS
141 	int j;
142 #endif
143 
144 	for (i = 0; i < (int) block_nb; i++) {
145 		sub_block = message + (i << 6);
146 
147 #ifndef UNROLL_LOOPS
148 		for (j = 0; j < 16; j++) {
149 			PACK32(&sub_block[j << 2], &w[j]);
150 		}
151 
152 		for (j = 16; j < 64; j++) {
153 			SHA256_SCR(j);
154 		}
155 
156 		for (j = 0; j < 8; j++) {
157 			wv[j] = ctx->h[j];
158 		}
159 
160 		for (j = 0; j < 64; j++) {
161 			t1 = wv[7] + SHA256_F2(wv[4]) + CH(wv[4], wv[5], wv[6])
162 				+ sha256_k[j] + w[j];
163 			t2 = SHA256_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
164 			wv[7] = wv[6];
165 			wv[6] = wv[5];
166 			wv[5] = wv[4];
167 			wv[4] = wv[3] + t1;
168 			wv[3] = wv[2];
169 			wv[2] = wv[1];
170 			wv[1] = wv[0];
171 			wv[0] = t1 + t2;
172 		}
173 
174 		for (j = 0; j < 8; j++) {
175 			ctx->h[j] += wv[j];
176 		}
177 #else
178 		PACK32(&sub_block[ 0], &w[ 0]); PACK32(&sub_block[ 4], &w[ 1]);
179 		PACK32(&sub_block[ 8], &w[ 2]); PACK32(&sub_block[12], &w[ 3]);
180 		PACK32(&sub_block[16], &w[ 4]); PACK32(&sub_block[20], &w[ 5]);
181 		PACK32(&sub_block[24], &w[ 6]); PACK32(&sub_block[28], &w[ 7]);
182 		PACK32(&sub_block[32], &w[ 8]); PACK32(&sub_block[36], &w[ 9]);
183 		PACK32(&sub_block[40], &w[10]); PACK32(&sub_block[44], &w[11]);
184 		PACK32(&sub_block[48], &w[12]); PACK32(&sub_block[52], &w[13]);
185 		PACK32(&sub_block[56], &w[14]); PACK32(&sub_block[60], &w[15]);
186 
187 		SHA256_SCR(16); SHA256_SCR(17); SHA256_SCR(18); SHA256_SCR(19);
188 		SHA256_SCR(20); SHA256_SCR(21); SHA256_SCR(22); SHA256_SCR(23);
189 		SHA256_SCR(24); SHA256_SCR(25); SHA256_SCR(26); SHA256_SCR(27);
190 		SHA256_SCR(28); SHA256_SCR(29); SHA256_SCR(30); SHA256_SCR(31);
191 		SHA256_SCR(32); SHA256_SCR(33); SHA256_SCR(34); SHA256_SCR(35);
192 		SHA256_SCR(36); SHA256_SCR(37); SHA256_SCR(38); SHA256_SCR(39);
193 		SHA256_SCR(40); SHA256_SCR(41); SHA256_SCR(42); SHA256_SCR(43);
194 		SHA256_SCR(44); SHA256_SCR(45); SHA256_SCR(46); SHA256_SCR(47);
195 		SHA256_SCR(48); SHA256_SCR(49); SHA256_SCR(50); SHA256_SCR(51);
196 		SHA256_SCR(52); SHA256_SCR(53); SHA256_SCR(54); SHA256_SCR(55);
197 		SHA256_SCR(56); SHA256_SCR(57); SHA256_SCR(58); SHA256_SCR(59);
198 		SHA256_SCR(60); SHA256_SCR(61); SHA256_SCR(62); SHA256_SCR(63);
199 
200 		wv[0] = ctx->h[0]; wv[1] = ctx->h[1];
201 		wv[2] = ctx->h[2]; wv[3] = ctx->h[3];
202 		wv[4] = ctx->h[4]; wv[5] = ctx->h[5];
203 		wv[6] = ctx->h[6]; wv[7] = ctx->h[7];
204 
205 		SHA256_EXP(0,1,2,3,4,5,6,7, 0); SHA256_EXP(7,0,1,2,3,4,5,6, 1);
206 		SHA256_EXP(6,7,0,1,2,3,4,5, 2); SHA256_EXP(5,6,7,0,1,2,3,4, 3);
207 		SHA256_EXP(4,5,6,7,0,1,2,3, 4); SHA256_EXP(3,4,5,6,7,0,1,2, 5);
208 		SHA256_EXP(2,3,4,5,6,7,0,1, 6); SHA256_EXP(1,2,3,4,5,6,7,0, 7);
209 		SHA256_EXP(0,1,2,3,4,5,6,7, 8); SHA256_EXP(7,0,1,2,3,4,5,6, 9);
210 		SHA256_EXP(6,7,0,1,2,3,4,5,10); SHA256_EXP(5,6,7,0,1,2,3,4,11);
211 		SHA256_EXP(4,5,6,7,0,1,2,3,12); SHA256_EXP(3,4,5,6,7,0,1,2,13);
212 		SHA256_EXP(2,3,4,5,6,7,0,1,14); SHA256_EXP(1,2,3,4,5,6,7,0,15);
213 		SHA256_EXP(0,1,2,3,4,5,6,7,16); SHA256_EXP(7,0,1,2,3,4,5,6,17);
214 		SHA256_EXP(6,7,0,1,2,3,4,5,18); SHA256_EXP(5,6,7,0,1,2,3,4,19);
215 		SHA256_EXP(4,5,6,7,0,1,2,3,20); SHA256_EXP(3,4,5,6,7,0,1,2,21);
216 		SHA256_EXP(2,3,4,5,6,7,0,1,22); SHA256_EXP(1,2,3,4,5,6,7,0,23);
217 		SHA256_EXP(0,1,2,3,4,5,6,7,24); SHA256_EXP(7,0,1,2,3,4,5,6,25);
218 		SHA256_EXP(6,7,0,1,2,3,4,5,26); SHA256_EXP(5,6,7,0,1,2,3,4,27);
219 		SHA256_EXP(4,5,6,7,0,1,2,3,28); SHA256_EXP(3,4,5,6,7,0,1,2,29);
220 		SHA256_EXP(2,3,4,5,6,7,0,1,30); SHA256_EXP(1,2,3,4,5,6,7,0,31);
221 		SHA256_EXP(0,1,2,3,4,5,6,7,32); SHA256_EXP(7,0,1,2,3,4,5,6,33);
222 		SHA256_EXP(6,7,0,1,2,3,4,5,34); SHA256_EXP(5,6,7,0,1,2,3,4,35);
223 		SHA256_EXP(4,5,6,7,0,1,2,3,36); SHA256_EXP(3,4,5,6,7,0,1,2,37);
224 		SHA256_EXP(2,3,4,5,6,7,0,1,38); SHA256_EXP(1,2,3,4,5,6,7,0,39);
225 		SHA256_EXP(0,1,2,3,4,5,6,7,40); SHA256_EXP(7,0,1,2,3,4,5,6,41);
226 		SHA256_EXP(6,7,0,1,2,3,4,5,42); SHA256_EXP(5,6,7,0,1,2,3,4,43);
227 		SHA256_EXP(4,5,6,7,0,1,2,3,44); SHA256_EXP(3,4,5,6,7,0,1,2,45);
228 		SHA256_EXP(2,3,4,5,6,7,0,1,46); SHA256_EXP(1,2,3,4,5,6,7,0,47);
229 		SHA256_EXP(0,1,2,3,4,5,6,7,48); SHA256_EXP(7,0,1,2,3,4,5,6,49);
230 		SHA256_EXP(6,7,0,1,2,3,4,5,50); SHA256_EXP(5,6,7,0,1,2,3,4,51);
231 		SHA256_EXP(4,5,6,7,0,1,2,3,52); SHA256_EXP(3,4,5,6,7,0,1,2,53);
232 		SHA256_EXP(2,3,4,5,6,7,0,1,54); SHA256_EXP(1,2,3,4,5,6,7,0,55);
233 		SHA256_EXP(0,1,2,3,4,5,6,7,56); SHA256_EXP(7,0,1,2,3,4,5,6,57);
234 		SHA256_EXP(6,7,0,1,2,3,4,5,58); SHA256_EXP(5,6,7,0,1,2,3,4,59);
235 		SHA256_EXP(4,5,6,7,0,1,2,3,60); SHA256_EXP(3,4,5,6,7,0,1,2,61);
236 		SHA256_EXP(2,3,4,5,6,7,0,1,62); SHA256_EXP(1,2,3,4,5,6,7,0,63);
237 
238 		ctx->h[0] += wv[0]; ctx->h[1] += wv[1];
239 		ctx->h[2] += wv[2]; ctx->h[3] += wv[3];
240 		ctx->h[4] += wv[4]; ctx->h[5] += wv[5];
241 		ctx->h[6] += wv[6]; ctx->h[7] += wv[7];
242 #endif /* !UNROLL_LOOPS */
243 	}
244 }
245 
vb2_sha256_update(struct vb2_sha256_context * ctx,const uint8_t * data,uint32_t size)246 void vb2_sha256_update(struct vb2_sha256_context *ctx,
247 		       const uint8_t *data,
248 		       uint32_t size)
249 {
250 	unsigned int block_nb;
251 	unsigned int new_size, rem_size, tmp_size;
252 	const uint8_t *shifted_data;
253 
254 	tmp_size = VB2_SHA256_BLOCK_SIZE - ctx->size;
255 	rem_size = size < tmp_size ? size : tmp_size;
256 
257 	memcpy(&ctx->block[ctx->size], data, rem_size);
258 
259 	if (ctx->size + size < VB2_SHA256_BLOCK_SIZE) {
260 		ctx->size += size;
261 		return;
262 	}
263 
264 	new_size = size - rem_size;
265 	block_nb = new_size / VB2_SHA256_BLOCK_SIZE;
266 
267 	shifted_data = data + rem_size;
268 
269 	vb2_sha256_transform(ctx, ctx->block, 1);
270 	vb2_sha256_transform(ctx, shifted_data, block_nb);
271 
272 	rem_size = new_size % VB2_SHA256_BLOCK_SIZE;
273 
274 	memcpy(ctx->block, &shifted_data[block_nb << 6],
275 	       rem_size);
276 
277 	ctx->size = rem_size;
278 	ctx->total_size += (block_nb + 1) << 6;
279 }
280 
vb2_sha256_finalize(struct vb2_sha256_context * ctx,uint8_t * digest)281 void vb2_sha256_finalize(struct vb2_sha256_context *ctx, uint8_t *digest)
282 {
283 	unsigned int block_nb;
284 	unsigned int pm_size;
285 	unsigned int size_b;
286 #ifndef UNROLL_LOOPS
287 	int i;
288 #endif
289 
290 	block_nb = (1 + ((VB2_SHA256_BLOCK_SIZE - 9)
291 			 < (ctx->size % VB2_SHA256_BLOCK_SIZE)));
292 
293 	size_b = (ctx->total_size + ctx->size) << 3;
294 	pm_size = block_nb << 6;
295 
296 	memset(ctx->block + ctx->size, 0, pm_size - ctx->size);
297 	ctx->block[ctx->size] = 0x80;
298 	UNPACK32(size_b, ctx->block + pm_size - 4);
299 
300 	vb2_sha256_transform(ctx, ctx->block, block_nb);
301 
302 #ifndef UNROLL_LOOPS
303 	for (i = 0 ; i < 8; i++) {
304 		UNPACK32(ctx->h[i], &digest[i << 2]);
305 	}
306 #else
307 	UNPACK32(ctx->h[0], &digest[ 0]);
308 	UNPACK32(ctx->h[1], &digest[ 4]);
309 	UNPACK32(ctx->h[2], &digest[ 8]);
310 	UNPACK32(ctx->h[3], &digest[12]);
311 	UNPACK32(ctx->h[4], &digest[16]);
312 	UNPACK32(ctx->h[5], &digest[20]);
313 	UNPACK32(ctx->h[6], &digest[24]);
314 	UNPACK32(ctx->h[7], &digest[28]);
315 #endif /* !UNROLL_LOOPS */
316 }
317