sha256.c
Go to the documentation of this file.
1 /**
2  * @file sha256.c
3  * @brief SHA-256 (Secure Hash Algorithm 256)
4  *
5  * @section License
6  *
7  * Copyright (C) 2010-2018 Oryx Embedded SARL. All rights reserved.
8  *
9  * This file is part of CycloneCrypto Open.
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program; if not, write to the Free Software Foundation,
23  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
24  *
25  * @section Description
26  *
27  * SHA-256 is a secure hash algorithm for computing a condensed representation
28  * of an electronic message. Refer to FIPS 180-4 for more details
29  *
30  * @author Oryx Embedded SARL (www.oryx-embedded.com)
31  * @version 1.9.0
32  **/
33 
34 //Switch to the appropriate trace level
35 #define TRACE_LEVEL CRYPTO_TRACE_LEVEL
36 
37 //Dependencies
38 #include "core/crypto.h"
39 #include "hash/sha256.h"
40 
41 //Check crypto library configuration
42 #if (SHA224_SUPPORT == ENABLED || SHA256_SUPPORT == ENABLED)
43 
44 //Macro to access the workspace as a circular buffer
45 #define W(t) w[(t) & 0x0F]
46 
47 //SHA-256 auxiliary functions
48 #define CH(x, y, z) (((x) & (y)) | (~(x) & (z)))
49 #define MAJ(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))
50 #define SIGMA1(x) (ROR32(x, 2) ^ ROR32(x, 13) ^ ROR32(x, 22))
51 #define SIGMA2(x) (ROR32(x, 6) ^ ROR32(x, 11) ^ ROR32(x, 25))
52 #define SIGMA3(x) (ROR32(x, 7) ^ ROR32(x, 18) ^ SHR32(x, 3))
53 #define SIGMA4(x) (ROR32(x, 17) ^ ROR32(x, 19) ^ SHR32(x, 10))
54 
55 //SHA-256 padding
56 static const uint8_t padding[64] =
57 {
58  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
59  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
60  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
61  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
62 };
63 
64 //SHA-256 constants
65 static const uint32_t k[64] =
66 {
67  0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5, 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
68  0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3, 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
69  0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC, 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
70  0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7, 0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
71  0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13, 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
72  0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3, 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
73  0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5, 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
74  0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208, 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2
75 };
76 
77 //SHA-256 object identifier (2.16.840.1.101.3.4.2.1)
78 const uint8_t sha256Oid[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01};
79 
80 //Common interface for hash algorithms
82 {
83  "SHA-256",
84  sha256Oid,
85  sizeof(sha256Oid),
86  sizeof(Sha256Context),
93 };
94 
95 
96 /**
97  * @brief Digest a message using SHA-256
98  * @param[in] data Pointer to the message being hashed
99  * @param[in] length Length of the message
100  * @param[out] digest Pointer to the calculated digest
101  * @return Error code
102  **/
103 
104 error_t sha256Compute(const void *data, size_t length, uint8_t *digest)
105 {
106  //Allocate a memory buffer to hold the SHA-256 context
107  Sha256Context *context = cryptoAllocMem(sizeof(Sha256Context));
108  //Failed to allocate memory?
109  if(context == NULL)
110  return ERROR_OUT_OF_MEMORY;
111 
112  //Initialize the SHA-256 context
113  sha256Init(context);
114  //Digest the message
115  sha256Update(context, data, length);
116  //Finalize the SHA-256 message digest
117  sha256Final(context, digest);
118 
119  //Free previously allocated memory
120  cryptoFreeMem(context);
121  //Successful processing
122  return NO_ERROR;
123 }
124 
125 
126 /**
127  * @brief Initialize SHA-256 message digest context
128  * @param[in] context Pointer to the SHA-256 context to initialize
129  **/
130 
131 void sha256Init(Sha256Context *context)
132 {
133  //Set initial hash value
134  context->h[0] = 0x6A09E667;
135  context->h[1] = 0xBB67AE85;
136  context->h[2] = 0x3C6EF372;
137  context->h[3] = 0xA54FF53A;
138  context->h[4] = 0x510E527F;
139  context->h[5] = 0x9B05688C;
140  context->h[6] = 0x1F83D9AB;
141  context->h[7] = 0x5BE0CD19;
142 
143  //Number of bytes in the buffer
144  context->size = 0;
145  //Total length of the message
146  context->totalSize = 0;
147 }
148 
149 
150 /**
151  * @brief Update the SHA-256 context with a portion of the message being hashed
152  * @param[in] context Pointer to the SHA-256 context
153  * @param[in] data Pointer to the buffer being hashed
154  * @param[in] length Length of the buffer
155  **/
156 
157 void sha256Update(Sha256Context *context, const void *data, size_t length)
158 {
159  size_t n;
160 
161  //Process the incoming data
162  while(length > 0)
163  {
164  //The buffer can hold at most 64 bytes
165  n = MIN(length, 64 - context->size);
166 
167  //Copy the data to the buffer
168  cryptoMemcpy(context->buffer + context->size, data, n);
169 
170  //Update the SHA-256 context
171  context->size += n;
172  context->totalSize += n;
173  //Advance the data pointer
174  data = (uint8_t *) data + n;
175  //Remaining bytes to process
176  length -= n;
177 
178  //Process message in 16-word blocks
179  if(context->size == 64)
180  {
181  //Transform the 16-word block
182  sha256ProcessBlock(context);
183  //Empty the buffer
184  context->size = 0;
185  }
186  }
187 }
188 
189 
190 /**
191  * @brief Finish the SHA-256 message digest
192  * @param[in] context Pointer to the SHA-256 context
193  * @param[out] digest Calculated digest (optional parameter)
194  **/
195 
196 void sha256Final(Sha256Context *context, uint8_t *digest)
197 {
198  uint_t i;
199  size_t paddingSize;
200  uint64_t totalSize;
201 
202  //Length of the original message (before padding)
203  totalSize = context->totalSize * 8;
204 
205  //Pad the message so that its length is congruent to 56 modulo 64
206  if(context->size < 56)
207  paddingSize = 56 - context->size;
208  else
209  paddingSize = 64 + 56 - context->size;
210 
211  //Append padding
212  sha256Update(context, padding, paddingSize);
213 
214  //Append the length of the original message
215  context->w[14] = htobe32((uint32_t) (totalSize >> 32));
216  context->w[15] = htobe32((uint32_t) totalSize);
217 
218  //Calculate the message digest
219  sha256ProcessBlock(context);
220 
221  //Convert from host byte order to big-endian byte order
222  for(i = 0; i < 8; i++)
223  context->h[i] = htobe32(context->h[i]);
224 
225  //Copy the resulting digest
226  if(digest != NULL)
227  cryptoMemcpy(digest, context->digest, SHA256_DIGEST_SIZE);
228 }
229 
230 
231 /**
232  * @brief Process message in 16-word blocks
233  * @param[in] context Pointer to the SHA-256 context
234  **/
235 
237 {
238  uint_t t;
239  uint32_t temp1;
240  uint32_t temp2;
241 
242  //Initialize the 8 working registers
243  uint32_t a = context->h[0];
244  uint32_t b = context->h[1];
245  uint32_t c = context->h[2];
246  uint32_t d = context->h[3];
247  uint32_t e = context->h[4];
248  uint32_t f = context->h[5];
249  uint32_t g = context->h[6];
250  uint32_t h = context->h[7];
251 
252  //Process message in 16-word blocks
253  uint32_t *w = context->w;
254 
255  //Convert from big-endian byte order to host byte order
256  for(t = 0; t < 16; t++)
257  w[t] = betoh32(w[t]);
258 
259  //SHA-256 hash computation (alternate method)
260  for(t = 0; t < 64; t++)
261  {
262  //Prepare the message schedule
263  if(t >= 16)
264  W(t) += SIGMA4(W(t + 14)) + W(t + 9) + SIGMA3(W(t + 1));
265 
266  //Calculate T1 and T2
267  temp1 = h + SIGMA2(e) + CH(e, f, g) + k[t] + W(t);
268  temp2 = SIGMA1(a) + MAJ(a, b, c);
269 
270  //Update the working registers
271  h = g;
272  g = f;
273  f = e;
274  e = d + temp1;
275  d = c;
276  c = b;
277  b = a;
278  a = temp1 + temp2;
279  }
280 
281  //Update the hash value
282  context->h[0] += a;
283  context->h[1] += b;
284  context->h[2] += c;
285  context->h[3] += d;
286  context->h[4] += e;
287  context->h[5] += f;
288  context->h[6] += g;
289  context->h[7] += h;
290 }
291 
292 #endif
#define W(t)
Definition: sha256.c:45
uint8_t c
Definition: ndp.h:510
void sha256Init(Sha256Context *context)
Initialize SHA-256 message digest context.
Definition: sha256.c:131
#define cryptoMemcpy(dest, src, length)
Definition: crypto.h:590
#define cryptoFreeMem(p)
Definition: crypto.h:578
error_t(* HashAlgoCompute)(const void *data, size_t length, uint8_t *digest)
Definition: crypto.h:1020
#define cryptoAllocMem(size)
Definition: crypto.h:573
#define htobe32(value)
Definition: cpu_endian.h:420
#define SHA256_DIGEST_SIZE
Definition: sha256.h:38
General definitions for cryptographic algorithms.
#define MAJ(x, y, z)
Definition: sha256.c:49
uint8_t digest[32]
Definition: sha256.h:59
void sha256ProcessBlock(Sha256Context *context)
Process message in 16-word blocks.
Definition: sha256.c:236
error_t sha256Compute(const void *data, size_t length, uint8_t *digest)
Digest a message using SHA-256.
Definition: sha256.c:104
uint32_t totalSize
#define betoh32(value)
Definition: cpu_endian.h:428
uint8_t a
Definition: ndp.h:407
uint64_t totalSize
Definition: sha256.h:67
uint16_t w[3]
Definition: ethernet.h:154
const uint8_t sha256Oid[9]
Definition: sha256.c:78
void(* HashAlgoInit)(void *context)
Definition: crypto.h:1021
#define SIGMA1(x)
Definition: sha256.c:50
#define CH(x, y, z)
Definition: sha256.c:48
size_t size
Definition: sha256.h:66
uint32_t h[8]
Definition: sha256.h:58
#define MIN(a, b)
Definition: os_port.h:60
#define SIGMA2(x)
Definition: sha256.c:51
void sha256Update(Sha256Context *context, const void *data, size_t length)
Update the SHA-256 context with a portion of the message being hashed.
Definition: sha256.c:157
void(* HashAlgoUpdate)(void *context, const void *data, size_t length)
Definition: crypto.h:1022
Success.
Definition: error.h:42
error_t
Error codes.
Definition: error.h:40
#define SIGMA4(x)
Definition: sha256.c:53
unsigned int uint_t
Definition: compiler_port.h:43
uint8_t data[]
Definition: dtls_misc.h:167
SHA-256 algorithm context.
Definition: sha256.h:54
const HashAlgo sha256HashAlgo
Definition: sha256.c:81
#define SHA256_BLOCK_SIZE
Definition: sha256.h:36
#define SIGMA3(x)
Definition: sha256.c:52
Common interface for hash algorithms.
Definition: crypto.h:1054
uint8_t length
Definition: dtls_misc.h:140
uint8_t n
uint8_t h
Definition: ndp.h:297
uint32_t w[16]
Definition: sha256.h:63
SHA-256 (Secure Hash Algorithm 256)
uint8_t b[6]
Definition: dtls_misc.h:130
void sha256Final(Sha256Context *context, uint8_t *digest)
Finish the SHA-256 message digest.
Definition: sha256.c:196
void(* HashAlgoFinal)(void *context, uint8_t *digest)
Definition: crypto.h:1023
uint8_t buffer[64]
Definition: sha256.h:64