File Coverage

deps/libgit2/src/util/hash/rfc6234/sha224-256.c

Criterion	Covered	Total	%
statement	0	126	0.0
branch	0	60	0.0
condition			n/a
subroutine			n/a
pod			n/a
total	0	186	0.0

line	stmt	bran	code
1			/*********************** sha224-256.c **********************/
2			/*************** See RFC 6234 for details. *****************/
3			/* Copyright (c) 2011 IETF Trust and the persons identified as */
4			/* authors of the code. All rights reserved. */
5			/* See sha.h for terms of use and redistribution. */
6
7			/*
8			* Description:
9			* This file implements the Secure Hash Algorithms SHA-224 and
10			* SHA-256 as defined in the U.S. National Institute of Standards
11			* and Technology Federal Information Processing Standards
12			* Publication (FIPS PUB) 180-3 published in October 2008
13			* and formerly defined in its predecessors, FIPS PUB 180-1
14			* and FIP PUB 180-2.
15			*
16			* A combined document showing all algorithms is available at
17			* http://csrc.nist.gov/publications/fips/
18			* fips180-3/fips180-3_final.pdf
19			*
20			* The SHA-224 and SHA-256 algorithms produce 224-bit and 256-bit
21			* message digests for a given data stream. It should take about
22			* 2**n steps to find a message with the same digest as a given
23			* message and 2**(n/2) to find any two messages with the same
24			* digest, when n is the digest size in bits. Therefore, this
25			* algorithm can serve as a means of providing a
26			* "fingerprint" for a message.
27			*
28			* Portability Issues:
29			* SHA-224 and SHA-256 are defined in terms of 32-bit "words".
30			* This code uses (included via "sha.h") to define 32-
31			* and 8-bit unsigned integer types. If your C compiler does not
32			* support 32-bit unsigned integers, this code is not
33			* appropriate.
34			*
35			* Caveats:
36			* SHA-224 and SHA-256 are designed to work with messages less
37			* than 2^64 bits long. This implementation uses SHA224/256Input()
38			* to hash the bits that are a multiple of the size of an 8-bit
39			* octet, and then optionally uses SHA224/256FinalBits()
40			* to hash the final few bits of the input.
41			*/
42
43			#include "sha.h"
44
45			/*
46			* These definitions are defined in FIPS 180-3, section 4.1.
47			* Ch() and Maj() are defined identically in sections 4.1.1,
48			* 4.1.2, and 4.1.3.
49			*
50			* The definitions used in FIPS 180-3 are as follows:
51			*/
52			#ifndef USE_MODIFIED_MACROS
53			#define SHA_Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
54			#define SHA_Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
55			#else /* USE_MODIFIED_MACROS */
56			/*
57			* The following definitions are equivalent and potentially faster.
58			*/
59			#define SHA_Ch(x, y, z) (((x) & ((y) ^ (z))) ^ (z))
60			#define SHA_Maj(x, y, z) (((x) & ((y) \| (z))) \| ((y) & (z)))
61			#endif /* USE_MODIFIED_MACROS */
62
63			#define SHA_Parity(x, y, z) ((x) ^ (y) ^ (z))
64
65			/* Define the SHA shift, rotate left, and rotate right macros */
66			#define SHA256_SHR(bits,word) ((word) >> (bits))
67			#define SHA256_ROTL(bits,word) \
68			(((word) << (bits)) \| ((word) >> (32-(bits))))
69			#define SHA256_ROTR(bits,word) \
70			(((word) >> (bits)) \| ((word) << (32-(bits))))
71
72			/* Define the SHA SIGMA and sigma macros */
73			#define SHA256_SIGMA0(word) \
74			(SHA256_ROTR( 2,word) ^ SHA256_ROTR(13,word) ^ SHA256_ROTR(22,word))
75			#define SHA256_SIGMA1(word) \
76			(SHA256_ROTR( 6,word) ^ SHA256_ROTR(11,word) ^ SHA256_ROTR(25,word))
77			#define SHA256_sigma0(word) \
78			(SHA256_ROTR( 7,word) ^ SHA256_ROTR(18,word) ^ SHA256_SHR( 3,word))
79			#define SHA256_sigma1(word) \
80			(SHA256_ROTR(17,word) ^ SHA256_ROTR(19,word) ^ SHA256_SHR(10,word))
81
82			/*
83			* Add "length" to the length.
84			* Set Corrupted when overflow has occurred.
85			*/
86			static uint32_t addTemp;
87			#define SHA224_256AddLength(context, length) \
88			(addTemp = (context)->Length_Low, (context)->Corrupted = \
89			(((context)->Length_Low += (length)) < addTemp) && \
90			(++(context)->Length_High == 0) ? shaInputTooLong : \
91			(context)->Corrupted )
92
93			/* Local Function Prototypes */
94			static int SHA224_256Reset(SHA256Context context, uint32_t H0);
95			static void SHA224_256ProcessMessageBlock(SHA256Context *context);
96			static void SHA224_256Finalize(SHA256Context *context,
97			uint8_t Pad_Byte);
98			static void SHA224_256PadMessage(SHA256Context *context,
99			uint8_t Pad_Byte);
100			static int SHA224_256ResultN(SHA256Context *context,
101			uint8_t Message_Digest[ ], int HashSize);
102
103			/* Initial Hash Values: FIPS 180-3 section 5.3.2 */
104			static uint32_t SHA224_H0[SHA256HashSize/4] = {
105			0xC1059ED8, 0x367CD507, 0x3070DD17, 0xF70E5939,
106			0xFFC00B31, 0x68581511, 0x64F98FA7, 0xBEFA4FA4
107			};
108
109			/* Initial Hash Values: FIPS 180-3 section 5.3.3 */
110			static uint32_t SHA256_H0[SHA256HashSize/4] = {
111			0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A,
112			0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19
113			};
114
115			/*
116			* SHA224Reset
117			*
118			* Description:
119			* This function will initialize the SHA224Context in preparation
120			* for computing a new SHA224 message digest.
121			*
122			* Parameters:
123			* context: [in/out]
124			* The context to reset.
125			*
126			* Returns:
127			* sha Error Code.
128			*/
129	0		int SHA224Reset(SHA224Context *context)
130			{
131	0		return SHA224_256Reset(context, SHA224_H0);
132			}
133
134			/*
135			* SHA224Input
136			*
137			* Description:
138			* This function accepts an array of octets as the next portion
139			* of the message.
140			*
141			* Parameters:
142			* context: [in/out]
143			* The SHA context to update.
144			* message_array[ ]: [in]
145			* An array of octets representing the next portion of
146			* the message.
147			* length: [in]
148			* The length of the message in message_array.
149			*
150			* Returns:
151			* sha Error Code.
152			*
153			*/
154	0		int SHA224Input(SHA224Context context, const uint8_t message_array,
155			unsigned int length)
156			{
157	0		return SHA256Input(context, message_array, length);
158			}
159
160			/*
161			* SHA224FinalBits
162			*
163			* Description:
164			* This function will add in any final bits of the message.
165			*
166			* Parameters:
167			* context: [in/out]
168			* The SHA context to update.
169			* message_bits: [in]
170			* The final bits of the message, in the upper portion of the
171			* byte. (Use 0b###00000 instead of 0b00000### to input the
172			* three bits ###.)
173			* length: [in]
174			* The number of bits in message_bits, between 1 and 7.
175			*
176			* Returns:
177			* sha Error Code.
178			*/
179	0		int SHA224FinalBits(SHA224Context *context,
180			uint8_t message_bits, unsigned int length)
181			{
182	0		return SHA256FinalBits(context, message_bits, length);
183			}
184
185			/*
186			* SHA224Result
187			*
188			* Description:
189			* This function will return the 224-bit message digest
190			* into the Message_Digest array provided by the caller.
191			* NOTE:
192			* The first octet of hash is stored in the element with index 0,
193			* the last octet of hash in the element with index 27.
194			*
195			* Parameters:
196			* context: [in/out]
197			* The context to use to calculate the SHA hash.
198			* Message_Digest[ ]: [out]
199			* Where the digest is returned.
200			*
201			* Returns:
202			* sha Error Code.
203			*/
204	0		int SHA224Result(SHA224Context *context,
205			uint8_t Message_Digest[SHA224HashSize])
206			{
207	0		return SHA224_256ResultN(context, Message_Digest, SHA224HashSize);
208			}
209
210			/*
211			* SHA256Reset
212			*
213			* Description:
214			* This function will initialize the SHA256Context in preparation
215			* for computing a new SHA256 message digest.
216			*
217			* Parameters:
218			* context: [in/out]
219			* The context to reset.
220			*
221			* Returns:
222			* sha Error Code.
223			*/
224	0		int SHA256Reset(SHA256Context *context)
225			{
226	0		return SHA224_256Reset(context, SHA256_H0);
227			}
228
229			/*
230			* SHA256Input
231			*
232			* Description:
233			* This function accepts an array of octets as the next portion
234			* of the message.
235			*
236			* Parameters:
237			* context: [in/out]
238			* The SHA context to update.
239			* message_array[ ]: [in]
240			* An array of octets representing the next portion of
241			* the message.
242			* length: [in]
243			* The length of the message in message_array.
244			*
245			* Returns:
246			* sha Error Code.
247			*/
248	0		int SHA256Input(SHA256Context context, const uint8_t message_array,
249			unsigned int length)
250			{
251	0	0	if (!context) return shaNull;
252	0	0	if (!length) return shaSuccess;
253	0	0	if (!message_array) return shaNull;
254	0	0	if (context->Computed) return context->Corrupted = shaStateError;
255	0	0	if (context->Corrupted) return context->Corrupted;
256
257	0	0	while (length--) {
258	0		context->Message_Block[context->Message_Block_Index++] =
259	0		*message_array;
260
261	0	0	if ((SHA224_256AddLength(context, 8) == shaSuccess) &&
		0
		0
		0
262	0		(context->Message_Block_Index == SHA256_Message_Block_Size))
263	0		SHA224_256ProcessMessageBlock(context);
264
265	0		message_array++;
266			}
267
268	0		return context->Corrupted;
269
270			}
271
272			/*
273			* SHA256FinalBits
274			*
275			* Description:
276			* This function will add in any final bits of the message.
277			*
278			* Parameters:
279			* context: [in/out]
280			* The SHA context to update.
281			* message_bits: [in]
282			* The final bits of the message, in the upper portion of the
283			* byte. (Use 0b###00000 instead of 0b00000### to input the
284			* three bits ###.)
285			* length: [in]
286			* The number of bits in message_bits, between 1 and 7.
287			*
288			* Returns:
289			* sha Error Code.
290			*/
291	0		int SHA256FinalBits(SHA256Context *context,
292			uint8_t message_bits, unsigned int length)
293			{
294			static uint8_t masks[8] = {
295			/* 0 0b00000000 / 0x00, / 1 0b10000000 */ 0x80,
296			/* 2 0b11000000 / 0xC0, / 3 0b11100000 */ 0xE0,
297			/* 4 0b11110000 / 0xF0, / 5 0b11111000 */ 0xF8,
298			/* 6 0b11111100 / 0xFC, / 7 0b11111110 */ 0xFE
299			};
300			static uint8_t markbit[8] = {
301			/* 0 0b10000000 / 0x80, / 1 0b01000000 */ 0x40,
302			/* 2 0b00100000 / 0x20, / 3 0b00010000 */ 0x10,
303			/* 4 0b00001000 / 0x08, / 5 0b00000100 */ 0x04,
304			/* 6 0b00000010 / 0x02, / 7 0b00000001 */ 0x01
305			};
306
307	0	0	if (!context) return shaNull;
308	0	0	if (!length) return shaSuccess;
309	0	0	if (context->Corrupted) return context->Corrupted;
310	0	0	if (context->Computed) return context->Corrupted = shaStateError;
311	0	0	if (length >= 8) return context->Corrupted = shaBadParam;
312
313	0	0	SHA224_256AddLength(context, length);
		0
314	0		SHA224_256Finalize(context, (uint8_t)
315	0		((message_bits & masks[length]) \| markbit[length]));
316
317	0		return context->Corrupted;
318			}
319
320			/*
321			* SHA256Result
322			*
323			* Description:
324			* This function will return the 256-bit message digest
325			* into the Message_Digest array provided by the caller.
326			* NOTE:
327			* The first octet of hash is stored in the element with index 0,
328			* the last octet of hash in the element with index 31.
329			*
330			* Parameters:
331			* context: [in/out]
332			* The context to use to calculate the SHA hash.
333			* Message_Digest[ ]: [out]
334			* Where the digest is returned.
335			*
336			* Returns:
337			* sha Error Code.
338			*/
339	0		int SHA256Result(SHA256Context *context,
340			uint8_t Message_Digest[SHA256HashSize])
341			{
342	0		return SHA224_256ResultN(context, Message_Digest, SHA256HashSize);
343			}
344
345			/*
346			* SHA224_256Reset
347			*
348			* Description:
349			* This helper function will initialize the SHA256Context in
350			* preparation for computing a new SHA-224 or SHA-256 message digest.
351			*
352			* Parameters:
353			* context: [in/out]
354			* The context to reset.
355			* H0[ ]: [in]
356			* The initial hash value array to use.
357			*
358			* Returns:
359			* sha Error Code.
360			*/
361	0		static int SHA224_256Reset(SHA256Context context, uint32_t H0)
362			{
363	0	0	if (!context) return shaNull;
364
365	0		context->Length_High = context->Length_Low = 0;
366	0		context->Message_Block_Index = 0;
367
368	0		context->Intermediate_Hash[0] = H0[0];
369	0		context->Intermediate_Hash[1] = H0[1];
370	0		context->Intermediate_Hash[2] = H0[2];
371	0		context->Intermediate_Hash[3] = H0[3];
372	0		context->Intermediate_Hash[4] = H0[4];
373	0		context->Intermediate_Hash[5] = H0[5];
374	0		context->Intermediate_Hash[6] = H0[6];
375	0		context->Intermediate_Hash[7] = H0[7];
376
377	0		context->Computed = 0;
378	0		context->Corrupted = shaSuccess;
379
380	0		return shaSuccess;
381			}
382
383			/*
384			* SHA224_256ProcessMessageBlock
385			*
386			* Description:
387			* This helper function will process the next 512 bits of the
388			* message stored in the Message_Block array.
389			*
390			* Parameters:
391			* context: [in/out]
392			* The SHA context to update.
393			*
394			* Returns:
395			* Nothing.
396			*
397			* Comments:
398			* Many of the variable names in this code, especially the
399			* single character names, were used because those were the
400			* names used in the Secure Hash Standard.
401			*/
402	0		static void SHA224_256ProcessMessageBlock(SHA256Context *context)
403			{
404			/* Constants defined in FIPS 180-3, section 4.2.2 */
405			static const uint32_t K[64] = {
406			0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b,
407			0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01,
408			0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7,
409			0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
410			0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152,
411			0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
412			0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc,
413			0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
414			0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819,
415			0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08,
416			0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f,
417			0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
418			0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
419			};
420			int t, t4; /* Loop counter */
421			uint32_t temp1, temp2; /* Temporary word value */
422			uint32_t W[64]; /* Word sequence */
423			uint32_t A, B, C, D, E, F, G, H; /* Word buffers */
424
425			/*
426			* Initialize the first 16 words in the array W
427			*/
428	0	0	for (t = t4 = 0; t < 16; t++, t4 += 4)
429	0		W[t] = (((uint32_t)context->Message_Block[t4]) << 24) \|
430	0		(((uint32_t)context->Message_Block[t4 + 1]) << 16) \|
431	0		(((uint32_t)context->Message_Block[t4 + 2]) << 8) \|
432	0		(((uint32_t)context->Message_Block[t4 + 3]));
433
434	0	0	for (t = 16; t < 64; t++)
435	0		W[t] = SHA256_sigma1(W[t-2]) + W[t-7] +
436	0		SHA256_sigma0(W[t-15]) + W[t-16];
437
438	0		A = context->Intermediate_Hash[0];
439	0		B = context->Intermediate_Hash[1];
440	0		C = context->Intermediate_Hash[2];
441	0		D = context->Intermediate_Hash[3];
442	0		E = context->Intermediate_Hash[4];
443	0		F = context->Intermediate_Hash[5];
444	0		G = context->Intermediate_Hash[6];
445	0		H = context->Intermediate_Hash[7];
446
447	0	0	for (t = 0; t < 64; t++) {
448	0		temp1 = H + SHA256_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
449	0		temp2 = SHA256_SIGMA0(A) + SHA_Maj(A,B,C);
450	0		H = G;
451	0		G = F;
452	0		F = E;
453	0		E = D + temp1;
454	0		D = C;
455	0		C = B;
456	0		B = A;
457	0		A = temp1 + temp2;
458			}
459
460	0		context->Intermediate_Hash[0] += A;
461	0		context->Intermediate_Hash[1] += B;
462	0		context->Intermediate_Hash[2] += C;
463	0		context->Intermediate_Hash[3] += D;
464	0		context->Intermediate_Hash[4] += E;
465	0		context->Intermediate_Hash[5] += F;
466	0		context->Intermediate_Hash[6] += G;
467	0		context->Intermediate_Hash[7] += H;
468
469	0		context->Message_Block_Index = 0;
470	0		}
471
472			/*
473			* SHA224_256Finalize
474			*
475			* Description:
476			* This helper function finishes off the digest calculations.
477			*
478			* Parameters:
479			* context: [in/out]
480			* The SHA context to update.
481			* Pad_Byte: [in]
482			* The last byte to add to the message block before the 0-padding
483			* and length. This will contain the last bits of the message
484			* followed by another single bit. If the message was an
485			* exact multiple of 8-bits long, Pad_Byte will be 0x80.
486			*
487			* Returns:
488			* sha Error Code.
489			*/
490	0		static void SHA224_256Finalize(SHA256Context *context,
491			uint8_t Pad_Byte)
492			{
493			int i;
494	0		SHA224_256PadMessage(context, Pad_Byte);
495			/* message may be sensitive, so clear it out */
496	0	0	for (i = 0; i < SHA256_Message_Block_Size; ++i)
497	0		context->Message_Block[i] = 0;
498	0		context->Length_High = 0; /* and clear length */
499	0		context->Length_Low = 0;
500	0		context->Computed = 1;
501	0		}
502
503			/*
504			* SHA224_256PadMessage
505			*
506			* Description:
507			* According to the standard, the message must be padded to the next
508			* even multiple of 512 bits. The first padding bit must be a '1'.
509			* The last 64 bits represent the length of the original message.
510			* All bits in between should be 0. This helper function will pad
511			* the message according to those rules by filling the
512			* Message_Block array accordingly. When it returns, it can be
513			* assumed that the message digest has been computed.
514			*
515			* Parameters:
516			* context: [in/out]
517			* The context to pad.
518			* Pad_Byte: [in]
519			* The last byte to add to the message block before the 0-padding
520			* and length. This will contain the last bits of the message
521			* followed by another single bit. If the message was an
522			* exact multiple of 8-bits long, Pad_Byte will be 0x80.
523			*
524			* Returns:
525			* Nothing.
526			*/
527	0		static void SHA224_256PadMessage(SHA256Context *context,
528			uint8_t Pad_Byte)
529			{
530			/*
531			* Check to see if the current message block is too small to hold
532			* the initial padding bits and length. If so, we will pad the
533			* block, process it, and then continue padding into a second
534			* block.
535			*/
536	0	0	if (context->Message_Block_Index >= (SHA256_Message_Block_Size-8)) {
537	0		context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
538	0	0	while (context->Message_Block_Index < SHA256_Message_Block_Size)
539	0		context->Message_Block[context->Message_Block_Index++] = 0;
540	0		SHA224_256ProcessMessageBlock(context);
541			} else
542	0		context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
543
544	0	0	while (context->Message_Block_Index < (SHA256_Message_Block_Size-8))
545	0		context->Message_Block[context->Message_Block_Index++] = 0;
546
547			/*
548			* Store the message length as the last 8 octets
549			*/
550	0		context->Message_Block[56] = (uint8_t)(context->Length_High >> 24);
551	0		context->Message_Block[57] = (uint8_t)(context->Length_High >> 16);
552	0		context->Message_Block[58] = (uint8_t)(context->Length_High >> 8);
553	0		context->Message_Block[59] = (uint8_t)(context->Length_High);
554	0		context->Message_Block[60] = (uint8_t)(context->Length_Low >> 24);
555	0		context->Message_Block[61] = (uint8_t)(context->Length_Low >> 16);
556	0		context->Message_Block[62] = (uint8_t)(context->Length_Low >> 8);
557	0		context->Message_Block[63] = (uint8_t)(context->Length_Low);
558
559	0		SHA224_256ProcessMessageBlock(context);
560	0		}
561
562			/*
563			* SHA224_256ResultN
564			*
565			* Description:
566			* This helper function will return the 224-bit or 256-bit message
567			* digest into the Message_Digest array provided by the caller.
568			* NOTE:
569			* The first octet of hash is stored in the element with index 0,
570			* the last octet of hash in the element with index 27/31.
571			*
572			* Parameters:
573			* context: [in/out]
574			* The context to use to calculate the SHA hash.
575			* Message_Digest[ ]: [out]
576			* Where the digest is returned.
577			* HashSize: [in]
578			* The size of the hash, either 28 or 32.
579			*
580			* Returns:
581			* sha Error Code.
582			*/
583	0		static int SHA224_256ResultN(SHA256Context *context,
584			uint8_t Message_Digest[ ], int HashSize)
585			{
586			int i;
587
588	0	0	if (!context) return shaNull;
589	0	0	if (!Message_Digest) return shaNull;
590	0	0	if (context->Corrupted) return context->Corrupted;
591
592	0	0	if (!context->Computed)
593	0		SHA224_256Finalize(context, 0x80);
594
595	0	0	for (i = 0; i < HashSize; ++i)
596	0		Message_Digest[i] = (uint8_t)
597	0		(context->Intermediate_Hash[i>>2] >> 8 * ( 3 - ( i & 0x03 ) ));
598
599	0		return shaSuccess;
600			}
601