projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'master' of git://git.exim.org/exim
[exim.git] / src / src / pdkim / sha2.c
1 /*
2 * FIPS-180-2 compliant SHA-256 implementation
3 *
4 * Copyright (C) 2006-2010, Brainspark B.V.
5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25 /*
26 * The SHA-256 Secure Hash Standard was published by NIST in 2002.
27 *
28 * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
29 */
30
31 /* $Cambridge: exim/src/src/pdkim/sha2.c,v 1.3 2009/12/07 13:05:07 tom Exp $ */
32
33 #include "sha2.h"
34
35 #include <string.h>
36 #include <stdio.h>
37
38 /*
39 * 32-bit integer manipulation macros (big endian)
40 */
41 #ifndef GET_ULONG_BE
42 #define GET_ULONG_BE(n,b,i) \
43 { \
44 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
45 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
46 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
47 | ( (unsigned long) (b)[(i) + 3] ); \
48 }
49 #endif
50
51 #ifndef PUT_ULONG_BE
52 #define PUT_ULONG_BE(n,b,i) \
53 { \
54 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
55 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
56 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
57 (b)[(i) + 3] = (unsigned char) ( (n) ); \
58 }
59 #endif
60
61 /*
62 * SHA-256 context setup
63 */
64 void sha2_starts( sha2_context *ctx, int is224 )
65 {
66 ctx->total[0] = 0;
67 ctx->total[1] = 0;
68
69 if( is224 == 0 )
70 {
71 /* SHA-256 */
72 ctx->state[0] = 0x6A09E667;
73 ctx->state[1] = 0xBB67AE85;
74 ctx->state[2] = 0x3C6EF372;
75 ctx->state[3] = 0xA54FF53A;
76 ctx->state[4] = 0x510E527F;
77 ctx->state[5] = 0x9B05688C;
78 ctx->state[6] = 0x1F83D9AB;
79 ctx->state[7] = 0x5BE0CD19;
80 }
81 else
82 {
83 /* SHA-224 */
84 ctx->state[0] = 0xC1059ED8;
85 ctx->state[1] = 0x367CD507;
86 ctx->state[2] = 0x3070DD17;
87 ctx->state[3] = 0xF70E5939;
88 ctx->state[4] = 0xFFC00B31;
89 ctx->state[5] = 0x68581511;
90 ctx->state[6] = 0x64F98FA7;
91 ctx->state[7] = 0xBEFA4FA4;
92 }
93
94 ctx->is224 = is224;
95 }
96
97 static void sha2_process( sha2_context *ctx, const unsigned char data[64] )
98 {
99 unsigned long temp1, temp2, W[64];
100 unsigned long A, B, C, D, E, F, G, H;
101
102 GET_ULONG_BE( W[ 0], data, 0 );
103 GET_ULONG_BE( W[ 1], data, 4 );
104 GET_ULONG_BE( W[ 2], data, 8 );
105 GET_ULONG_BE( W[ 3], data, 12 );
106 GET_ULONG_BE( W[ 4], data, 16 );
107 GET_ULONG_BE( W[ 5], data, 20 );
108 GET_ULONG_BE( W[ 6], data, 24 );
109 GET_ULONG_BE( W[ 7], data, 28 );
110 GET_ULONG_BE( W[ 8], data, 32 );
111 GET_ULONG_BE( W[ 9], data, 36 );
112 GET_ULONG_BE( W[10], data, 40 );
113 GET_ULONG_BE( W[11], data, 44 );
114 GET_ULONG_BE( W[12], data, 48 );
115 GET_ULONG_BE( W[13], data, 52 );
116 GET_ULONG_BE( W[14], data, 56 );
117 GET_ULONG_BE( W[15], data, 60 );
118
119 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
120 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
121
122 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
123 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
124
125 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
126 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
127
128 #define F0(x,y,z) ((x & y) | (z & (x | y)))
129 #define F1(x,y,z) (z ^ (x & (y ^ z)))
130
131 #define R(t) \
132 ( \
133 W[t] = S1(W[t - 2]) + W[t - 7] + \
134 S0(W[t - 15]) + W[t - 16] \
135 )
136
137 #define P(a,b,c,d,e,f,g,h,x,K) \
138 { \
139 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
140 temp2 = S2(a) + F0(a,b,c); \
141 d += temp1; h = temp1 + temp2; \
142 }
143
144 A = ctx->state[0];
145 B = ctx->state[1];
146 C = ctx->state[2];
147 D = ctx->state[3];
148 E = ctx->state[4];
149 F = ctx->state[5];
150 G = ctx->state[6];
151 H = ctx->state[7];
152
153 P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98 );
154 P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491 );
155 P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF );
156 P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5 );
157 P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B );
158 P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1 );
159 P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4 );
160 P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5 );
161 P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98 );
162 P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01 );
163 P( G, H, A, B, C, D, E, F, W[10], 0x243185BE );
164 P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3 );
165 P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74 );
166 P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE );
167 P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7 );
168 P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174 );
169 P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1 );
170 P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786 );
171 P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6 );
172 P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC );
173 P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F );
174 P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA );
175 P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC );
176 P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA );
177 P( A, B, C, D, E, F, G, H, R(24), 0x983E5152 );
178 P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D );
179 P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8 );
180 P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7 );
181 P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3 );
182 P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147 );
183 P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351 );
184 P( B, C, D, E, F, G, H, A, R(31), 0x14292967 );
185 P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85 );
186 P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138 );
187 P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC );
188 P( F, G, H, A, B, C, D, E, R(35), 0x53380D13 );
189 P( E, F, G, H, A, B, C, D, R(36), 0x650A7354 );
190 P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB );
191 P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E );
192 P( B, C, D, E, F, G, H, A, R(39), 0x92722C85 );
193 P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1 );
194 P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B );
195 P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70 );
196 P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3 );
197 P( E, F, G, H, A, B, C, D, R(44), 0xD192E819 );
198 P( D, E, F, G, H, A, B, C, R(45), 0xD6990624 );
199 P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585 );
200 P( B, C, D, E, F, G, H, A, R(47), 0x106AA070 );
201 P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116 );
202 P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08 );
203 P( G, H, A, B, C, D, E, F, R(50), 0x2748774C );
204 P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5 );
205 P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3 );
206 P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A );
207 P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F );
208 P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3 );
209 P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE );
210 P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F );
211 P( G, H, A, B, C, D, E, F, R(58), 0x84C87814 );
212 P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208 );
213 P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA );
214 P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB );
215 P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7 );
216 P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2 );
217
218 ctx->state[0] += A;
219 ctx->state[1] += B;
220 ctx->state[2] += C;
221 ctx->state[3] += D;
222 ctx->state[4] += E;
223 ctx->state[5] += F;
224 ctx->state[6] += G;
225 ctx->state[7] += H;
226 }
227
228 /*
229 * SHA-256 process buffer
230 */
231 void sha2_update( sha2_context *ctx, const unsigned char *input, int ilen )
232 {
233 int fill;
234 unsigned long left;
235
236 if( ilen <= 0 )
237 return;
238
239 left = ctx->total[0] & 0x3F;
240 fill = 64 - left;
241
242 ctx->total[0] += ilen;
243 ctx->total[0] &= 0xFFFFFFFF;
244
245 if( ctx->total[0] < (unsigned long) ilen )
246 ctx->total[1]++;
247
248 if( left && ilen >= fill )
249 {
250 memcpy( (void *) (ctx->buffer + left),
251 (void *) input, fill );
252 sha2_process( ctx, ctx->buffer );
253 input += fill;
254 ilen -= fill;
255 left = 0;
256 }
257
258 while( ilen >= 64 )
259 {
260 sha2_process( ctx, input );
261 input += 64;
262 ilen -= 64;
263 }
264
265 if( ilen > 0 )
266 {
267 memcpy( (void *) (ctx->buffer + left),
268 (void *) input, ilen );
269 }
270 }
271
272 static const unsigned char sha2_padding[64] =
273 {
274 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
275 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
276 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
277 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
278 };
279
280 /*
281 * SHA-256 final digest
282 */
283 void sha2_finish( sha2_context *ctx, unsigned char output[32] )
284 {
285 unsigned long last, padn;
286 unsigned long high, low;
287 unsigned char msglen[8];
288
289 high = ( ctx->total[0] >> 29 )
290 | ( ctx->total[1] << 3 );
291 low = ( ctx->total[0] << 3 );
292
293 PUT_ULONG_BE( high, msglen, 0 );
294 PUT_ULONG_BE( low, msglen, 4 );
295
296 last = ctx->total[0] & 0x3F;
297 padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
298
299 sha2_update( ctx, (unsigned char *) sha2_padding, padn );
300 sha2_update( ctx, msglen, 8 );
301
302 PUT_ULONG_BE( ctx->state[0], output, 0 );
303 PUT_ULONG_BE( ctx->state[1], output, 4 );
304 PUT_ULONG_BE( ctx->state[2], output, 8 );
305 PUT_ULONG_BE( ctx->state[3], output, 12 );
306 PUT_ULONG_BE( ctx->state[4], output, 16 );
307 PUT_ULONG_BE( ctx->state[5], output, 20 );
308 PUT_ULONG_BE( ctx->state[6], output, 24 );
309
310 if( ctx->is224 == 0 )
311 PUT_ULONG_BE( ctx->state[7], output, 28 );
312 }
313
314 /*
315 * output = SHA-256( input buffer )
316 */
317 void sha2( const unsigned char *input, int ilen,
318 unsigned char output[32], int is224 )
319 {
320 sha2_context ctx;
321
322 sha2_starts( &ctx, is224 );
323 sha2_update( &ctx, input, ilen );
324 sha2_finish( &ctx, output );
325
326 memset( &ctx, 0, sizeof( sha2_context ) );
327 }
328
329 /*
330 * output = SHA-256( file contents )
331 */
332 int sha2_file( const char *path, unsigned char output[32], int is224 )
333 {
334 FILE *f;
335 size_t n;
336 sha2_context ctx;
337 unsigned char buf[1024];
338
339 if( ( f = fopen( path, "rb" ) ) == NULL )
340 return( 1 );
341
342 sha2_starts( &ctx, is224 );
343
344 while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
345 sha2_update( &ctx, buf, (int) n );
346
347 sha2_finish( &ctx, output );
348
349 memset( &ctx, 0, sizeof( sha2_context ) );
350
351 if( ferror( f ) != 0 )
352 {
353 fclose( f );
354 return( 2 );
355 }
356
357 fclose( f );
358 return( 0 );
359 }
360
361 /*
362 * SHA-256 HMAC context setup
363 */
364 void sha2_hmac_starts( sha2_context *ctx, const unsigned char *key, int keylen,
365 int is224 )
366 {
367 int i;
368 unsigned char sum[32];
369
370 if( keylen > 64 )
371 {
372 sha2( key, keylen, sum, is224 );
373 keylen = ( is224 ) ? 28 : 32;
374 key = sum;
375 }
376
377 memset( ctx->ipad, 0x36, 64 );
378 memset( ctx->opad, 0x5C, 64 );
379
380 for( i = 0; i < keylen; i++ )
381 {
382 ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
383 ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
384 }
385
386 sha2_starts( ctx, is224 );
387 sha2_update( ctx, ctx->ipad, 64 );
388
389 memset( sum, 0, sizeof( sum ) );
390 }
391
392 /*
393 * SHA-256 HMAC process buffer
394 */
395 void sha2_hmac_update( sha2_context *ctx, const unsigned char *input, int ilen )
396 {
397 sha2_update( ctx, input, ilen );
398 }
399
400 /*
401 * SHA-256 HMAC final digest
402 */
403 void sha2_hmac_finish( sha2_context *ctx, unsigned char output[32] )
404 {
405 int is224, hlen;
406 unsigned char tmpbuf[32];
407
408 is224 = ctx->is224;
409 hlen = ( is224 == 0 ) ? 32 : 28;
410
411 sha2_finish( ctx, tmpbuf );
412 sha2_starts( ctx, is224 );
413 sha2_update( ctx, ctx->opad, 64 );
414 sha2_update( ctx, tmpbuf, hlen );
415 sha2_finish( ctx, output );
416
417 memset( tmpbuf, 0, sizeof( tmpbuf ) );
418 }
419
420 /*
421 * SHA-256 HMAC context reset
422 */
423 void sha2_hmac_reset( sha2_context *ctx )
424 {
425 sha2_starts( ctx, ctx->is224 );
426 sha2_update( ctx, ctx->ipad, 64 );
427 }
428
429 /*
430 * output = HMAC-SHA-256( hmac key, input buffer )
431 */
432 void sha2_hmac( const unsigned char *key, int keylen,
433 const unsigned char *input, int ilen,
434 unsigned char output[32], int is224 )
435 {
436 sha2_context ctx;
437
438 sha2_hmac_starts( &ctx, key, keylen, is224 );
439 sha2_hmac_update( &ctx, input, ilen );
440 sha2_hmac_finish( &ctx, output );
441
442 memset( &ctx, 0, sizeof( sha2_context ) );
443 }
Unnamed repository; edit this file 'description' to name the repository.