projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
DKIM: reinstate embedded Polarssl SHA routines under older GnuTLS. Bug 1772
[exim.git] / src / src / pdkim / sha2.c
1 #include "crypt_ver.h"
2
3 #ifdef SHA_POLARSSL /* remainder of file */
4
5 /*
6 * FIPS-180-2 compliant SHA-256 implementation
7 *
8 * Copyright (C) 2006-2010, Brainspark B.V.
9 *
10 * This file is part of PolarSSL (http://www.polarssl.org)
11 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
12 *
13 * All rights reserved.
14 *
15 * This program is free software; you can redistribute it and/or modify
16 * it under the terms of the GNU General Public License as published by
17 * the Free Software Foundation; either version 2 of the License, or
18 * (at your option) any later version.
19 *
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
24 *
25 * You should have received a copy of the GNU General Public License along
26 * with this program; if not, write to the Free Software Foundation, Inc.,
27 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
28 */
29 /*
30 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
31 *
32 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
33 */
34
35 #include "polarssl/config.h"
36
37 #if defined(POLARSSL_SHA2_C)
38
39 #include "polarssl/sha2.h"
40
41 #include <string.h>
42 #include <stdio.h>
43
44 /*
45 * 32-bit integer manipulation macros (big endian)
46 */
47 #ifndef GET_ULONG_BE
48 #define GET_ULONG_BE(n,b,i) \
49 { \
50 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
51 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
52 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
53 | ( (unsigned long) (b)[(i) + 3] ); \
54 }
55 #endif
56
57 #ifndef PUT_ULONG_BE
58 #define PUT_ULONG_BE(n,b,i) \
59 { \
60 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
61 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
62 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
63 (b)[(i) + 3] = (unsigned char) ( (n) ); \
64 }
65 #endif
66
67 /*
68 * SHA-256 context setup
69 */
70 void sha2_starts( sha2_context *ctx, int is224 )
71 {
72 ctx->total[0] = 0;
73 ctx->total[1] = 0;
74
75 if( is224 == 0 )
76 {
77 /* SHA-256 */
78 ctx->state[0] = 0x6A09E667;
79 ctx->state[1] = 0xBB67AE85;
80 ctx->state[2] = 0x3C6EF372;
81 ctx->state[3] = 0xA54FF53A;
82 ctx->state[4] = 0x510E527F;
83 ctx->state[5] = 0x9B05688C;
84 ctx->state[6] = 0x1F83D9AB;
85 ctx->state[7] = 0x5BE0CD19;
86 }
87 else
88 {
89 /* SHA-224 */
90 ctx->state[0] = 0xC1059ED8;
91 ctx->state[1] = 0x367CD507;
92 ctx->state[2] = 0x3070DD17;
93 ctx->state[3] = 0xF70E5939;
94 ctx->state[4] = 0xFFC00B31;
95 ctx->state[5] = 0x68581511;
96 ctx->state[6] = 0x64F98FA7;
97 ctx->state[7] = 0xBEFA4FA4;
98 }
99
100 ctx->is224 = is224;
101 }
102
103 static void sha2_process( sha2_context *ctx, const unsigned char data[64] )
104 {
105 unsigned long temp1, temp2, W[64];
106 unsigned long A, B, C, D, E, F, G, H;
107
108 GET_ULONG_BE( W[ 0], data, 0 );
109 GET_ULONG_BE( W[ 1], data, 4 );
110 GET_ULONG_BE( W[ 2], data, 8 );
111 GET_ULONG_BE( W[ 3], data, 12 );
112 GET_ULONG_BE( W[ 4], data, 16 );
113 GET_ULONG_BE( W[ 5], data, 20 );
114 GET_ULONG_BE( W[ 6], data, 24 );
115 GET_ULONG_BE( W[ 7], data, 28 );
116 GET_ULONG_BE( W[ 8], data, 32 );
117 GET_ULONG_BE( W[ 9], data, 36 );
118 GET_ULONG_BE( W[10], data, 40 );
119 GET_ULONG_BE( W[11], data, 44 );
120 GET_ULONG_BE( W[12], data, 48 );
121 GET_ULONG_BE( W[13], data, 52 );
122 GET_ULONG_BE( W[14], data, 56 );
123 GET_ULONG_BE( W[15], data, 60 );
124
125 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
126 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
127
128 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
129 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
130
131 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
132 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
133
134 #define F0(x,y,z) ((x & y) | (z & (x | y)))
135 #define F1(x,y,z) (z ^ (x & (y ^ z)))
136
137 #define R(t) \
138 ( \
139 W[t] = S1(W[t - 2]) + W[t - 7] + \
140 S0(W[t - 15]) + W[t - 16] \
141 )
142
143 #define P(a,b,c,d,e,f,g,h,x,K) \
144 { \
145 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
146 temp2 = S2(a) + F0(a,b,c); \
147 d += temp1; h = temp1 + temp2; \
148 }
149
150 A = ctx->state[0];
151 B = ctx->state[1];
152 C = ctx->state[2];
153 D = ctx->state[3];
154 E = ctx->state[4];
155 F = ctx->state[5];
156 G = ctx->state[6];
157 H = ctx->state[7];
158
159 P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98 );
160 P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491 );
161 P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF );
162 P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5 );
163 P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B );
164 P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1 );
165 P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4 );
166 P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5 );
167 P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98 );
168 P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01 );
169 P( G, H, A, B, C, D, E, F, W[10], 0x243185BE );
170 P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3 );
171 P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74 );
172 P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE );
173 P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7 );
174 P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174 );
175 P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1 );
176 P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786 );
177 P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6 );
178 P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC );
179 P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F );
180 P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA );
181 P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC );
182 P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA );
183 P( A, B, C, D, E, F, G, H, R(24), 0x983E5152 );
184 P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D );
185 P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8 );
186 P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7 );
187 P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3 );
188 P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147 );
189 P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351 );
190 P( B, C, D, E, F, G, H, A, R(31), 0x14292967 );
191 P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85 );
192 P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138 );
193 P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC );
194 P( F, G, H, A, B, C, D, E, R(35), 0x53380D13 );
195 P( E, F, G, H, A, B, C, D, R(36), 0x650A7354 );
196 P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB );
197 P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E );
198 P( B, C, D, E, F, G, H, A, R(39), 0x92722C85 );
199 P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1 );
200 P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B );
201 P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70 );
202 P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3 );
203 P( E, F, G, H, A, B, C, D, R(44), 0xD192E819 );
204 P( D, E, F, G, H, A, B, C, R(45), 0xD6990624 );
205 P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585 );
206 P( B, C, D, E, F, G, H, A, R(47), 0x106AA070 );
207 P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116 );
208 P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08 );
209 P( G, H, A, B, C, D, E, F, R(50), 0x2748774C );
210 P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5 );
211 P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3 );
212 P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A );
213 P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F );
214 P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3 );
215 P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE );
216 P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F );
217 P( G, H, A, B, C, D, E, F, R(58), 0x84C87814 );
218 P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208 );
219 P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA );
220 P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB );
221 P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7 );
222 P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2 );
223
224 ctx->state[0] += A;
225 ctx->state[1] += B;
226 ctx->state[2] += C;
227 ctx->state[3] += D;
228 ctx->state[4] += E;
229 ctx->state[5] += F;
230 ctx->state[6] += G;
231 ctx->state[7] += H;
232 }
233
234 /*
235 * SHA-256 process buffer
236 */
237 void sha2_update( sha2_context *ctx, const unsigned char *input, int ilen )
238 {
239 int fill;
240 unsigned long left;
241
242 if( ilen <= 0 )
243 return;
244
245 left = ctx->total[0] & 0x3F;
246 fill = 64 - left;
247
248 ctx->total[0] += ilen;
249 ctx->total[0] &= 0xFFFFFFFF;
250
251 if( ctx->total[0] < (unsigned long) ilen )
252 ctx->total[1]++;
253
254 if( left && ilen >= fill )
255 {
256 memcpy( (void *) (ctx->buffer + left),
257 (void *) input, fill );
258 sha2_process( ctx, ctx->buffer );
259 input += fill;
260 ilen -= fill;
261 left = 0;
262 }
263
264 while( ilen >= 64 )
265 {
266 sha2_process( ctx, input );
267 input += 64;
268 ilen -= 64;
269 }
270
271 if( ilen > 0 )
272 {
273 memcpy( (void *) (ctx->buffer + left),
274 (void *) input, ilen );
275 }
276 }
277
278 static const unsigned char sha2_padding[64] =
279 {
280 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
281 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
282 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
283 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
284 };
285
286 /*
287 * SHA-256 final digest
288 */
289 void sha2_finish( sha2_context *ctx, unsigned char output[32] )
290 {
291 unsigned long last, padn;
292 unsigned long high, low;
293 unsigned char msglen[8];
294
295 high = ( ctx->total[0] >> 29 )
296 | ( ctx->total[1] << 3 );
297 low = ( ctx->total[0] << 3 );
298
299 PUT_ULONG_BE( high, msglen, 0 );
300 PUT_ULONG_BE( low, msglen, 4 );
301
302 last = ctx->total[0] & 0x3F;
303 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
304
305 sha2_update( ctx, (unsigned char *) sha2_padding, padn );
306 sha2_update( ctx, msglen, 8 );
307
308 PUT_ULONG_BE( ctx->state[0], output, 0 );
309 PUT_ULONG_BE( ctx->state[1], output, 4 );
310 PUT_ULONG_BE( ctx->state[2], output, 8 );
311 PUT_ULONG_BE( ctx->state[3], output, 12 );
312 PUT_ULONG_BE( ctx->state[4], output, 16 );
313 PUT_ULONG_BE( ctx->state[5], output, 20 );
314 PUT_ULONG_BE( ctx->state[6], output, 24 );
315
316 if( ctx->is224 == 0 )
317 PUT_ULONG_BE( ctx->state[7], output, 28 );
318 }
319
320 /*
321 * output = SHA-256( input buffer )
322 */
323 void sha2( const unsigned char *input, int ilen,
324 unsigned char output[32], int is224 )
325 {
326 sha2_context ctx;
327
328 sha2_starts( &ctx, is224 );
329 sha2_update( &ctx, input, ilen );
330 sha2_finish( &ctx, output );
331
332 memset( &ctx, 0, sizeof( sha2_context ) );
333 }
334
335 /*
336 * output = SHA-256( file contents )
337 */
338 int sha2_file( const char *path, unsigned char output[32], int is224 )
339 {
340 FILE *f;
341 size_t n;
342 sha2_context ctx;
343 unsigned char buf[1024];
344
345 if( ( f = fopen( path, "rb" ) ) == NULL )
346 return( 1 );
347
348 sha2_starts( &ctx, is224 );
349
350 while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
351 sha2_update( &ctx, buf, (int) n );
352
353 sha2_finish( &ctx, output );
354
355 memset( &ctx, 0, sizeof( sha2_context ) );
356
357 if( ferror( f ) != 0 )
358 {
359 fclose( f );
360 return( 2 );
361 }
362
363 fclose( f );
364 return( 0 );
365 }
366
367 /*
368 * SHA-256 HMAC context setup
369 */
370 void sha2_hmac_starts( sha2_context *ctx, const unsigned char *key, int keylen,
371 int is224 )
372 {
373 int i;
374 unsigned char sum[32];
375
376 if( keylen > 64 )
377 {
378 sha2( key, keylen, sum, is224 );
379 keylen = ( is224 ) ? 28 : 32;
380 key = sum;
381 }
382
383 memset( ctx->ipad, 0x36, 64 );
384 memset( ctx->opad, 0x5C, 64 );
385
386 for( i = 0; i < keylen; i++ )
387 {
388 ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
389 ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
390 }
391
392 sha2_starts( ctx, is224 );
393 sha2_update( ctx, ctx->ipad, 64 );
394
395 memset( sum, 0, sizeof( sum ) );
396 }
397
398 /*
399 * SHA-256 HMAC process buffer
400 */
401 void sha2_hmac_update( sha2_context *ctx, const unsigned char *input, int ilen )
402 {
403 sha2_update( ctx, input, ilen );
404 }
405
406 /*
407 * SHA-256 HMAC final digest
408 */
409 void sha2_hmac_finish( sha2_context *ctx, unsigned char output[32] )
410 {
411 int is224, hlen;
412 unsigned char tmpbuf[32];
413
414 is224 = ctx->is224;
415 hlen = ( is224 == 0 ) ? 32 : 28;
416
417 sha2_finish( ctx, tmpbuf );
418 sha2_starts( ctx, is224 );
419 sha2_update( ctx, ctx->opad, 64 );
420 sha2_update( ctx, tmpbuf, hlen );
421 sha2_finish( ctx, output );
422
423 memset( tmpbuf, 0, sizeof( tmpbuf ) );
424 }
425
426 /*
427 * SHA-256 HMAC context reset
428 */
429 void sha2_hmac_reset( sha2_context *ctx )
430 {
431 sha2_starts( ctx, ctx->is224 );
432 sha2_update( ctx, ctx->ipad, 64 );
433 }
434
435 /*
436 * output = HMAC-SHA-256( hmac key, input buffer )
437 */
438 void sha2_hmac( const unsigned char *key, int keylen,
439 const unsigned char *input, int ilen,
440 unsigned char output[32], int is224 )
441 {
442 sha2_context ctx;
443
444 sha2_hmac_starts( &ctx, key, keylen, is224 );
445 sha2_hmac_update( &ctx, input, ilen );
446 sha2_hmac_finish( &ctx, output );
447
448 memset( &ctx, 0, sizeof( sha2_context ) );
449 }
450
451
452 #endif
453 #endif
Unnamed repository; edit this file 'description' to name the repository.