File Coverage

src/sha256.c.inc

Criterion	Covered	Total	%
statement	140	147	95.2
branch	22	28	78.5
condition			n/a
subroutine			n/a
pod			n/a
total	162	175	92.5

line	stmt	bran	code
1			/*-
2			* Copyright 2005,2007,2009 Colin Percival
3			* All rights reserved.
4			*
5			* Redistribution and use in source and binary forms, with or without
6			* modification, are permitted provided that the following conditions
7			* are met:
8			* 1. Redistributions of source code must retain the above copyright
9			* notice, this list of conditions and the following disclaimer.
10			* 2. Redistributions in binary form must reproduce the above copyright
11			* notice, this list of conditions and the following disclaimer in the
12			* documentation and/or other materials provided with the distribution.
13			*
14			* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15			* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16			* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17			* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18			* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19			* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20			* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21			* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22			* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23			* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24			* SUCH DAMAGE.
25			*/
26			#include "scrypt_platform.h"
27
28			#include
29
30			#ifdef _MSC_VER
31			#include "msinttypes.h"
32			#elif defined(__sun) \|\| defined(__sun__)
33			#include
34			#else
35			#include
36			#endif
37
38			#include
39
40			#include "sysendian.h"
41
42			#include "sha256.h"
43
44			/*
45			* Encode a length len/4 vector of (uint32_t) into a length len vector of
46			* (unsigned char) in big-endian form. Assumes len is a multiple of 4.
47			*/
48			static void
49	3804		be32enc_vect(unsigned char dst, const uint32_t src, size_t len)
50			{
51			size_t i;
52
53	22824	100	for (i = 0; i < len / 4; i++)
54	19020		be32enc(dst + i * 4, src[i]);
55	3804		}
56
57			/*
58			* Decode a big-endian length len vector of (unsigned char) into a length
59			* len/4 vector of (uint32_t). Assumes len is a multiple of 4.
60			*/
61			static void
62	2444		be32dec_vect(uint32_t dst, const unsigned char src, size_t len)
63			{
64			size_t i;
65
66	41548	100	for (i = 0; i < len / 4; i++)
67	39104		dst[i] = be32dec(src + i * 4);
68	2444		}
69
70			/* Elementary functions used by SHA256 */
71			#define Ch(x, y, z) ((x & (y ^ z)) ^ z)
72			#define Maj(x, y, z) ((x & (y \| z)) \| (y & z))
73			#define SHR(x, n) (x >> n)
74			#define ROTR(x, n) ((x >> n) \| (x << (32 - n)))
75			#define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
76			#define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
77			#define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
78			#define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
79
80			/* SHA256 round function */
81			#define RND(a, b, c, d, e, f, g, h, k) \
82			t0 = h + S1(e) + Ch(e, f, g) + k; \
83			t1 = S0(a) + Maj(a, b, c); \
84			d += t0; \
85			h = t0 + t1;
86
87			/* Adjusted round function for rotating state */
88			#define RNDr(S, W, i, k) \
89			RND(S[(64 - i) % 8], S[(65 - i) % 8], \
90			S[(66 - i) % 8], S[(67 - i) % 8], \
91			S[(68 - i) % 8], S[(69 - i) % 8], \
92			S[(70 - i) % 8], S[(71 - i) % 8], \
93			W[i] + k)
94
95			/*
96			* SHA256 block compression function. The 256-bit state is transformed via
97			* the 512-bit input block to produce a new state.
98			*/
99			static void
100	2444		SHA256_Transform(uint32_t * state, const unsigned char block[64])
101			{
102			uint32_t W[64];
103			uint32_t S[8];
104			uint32_t t0, t1;
105			int i;
106
107			/* 1. Prepare message schedule W. */
108	2444		be32dec_vect(W, block, 64);
109	119756	100	for (i = 16; i < 64; i++)
110	117312		W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16];
111
112			/* 2. Initialize working variables. */
113			memcpy(S, state, 32);
114
115			/* 3. Mix. */
116	2444		RNDr(S, W, 0, 0x428a2f98);
117	2444		RNDr(S, W, 1, 0x71374491);
118	2444		RNDr(S, W, 2, 0xb5c0fbcf);
119	2444		RNDr(S, W, 3, 0xe9b5dba5);
120	2444		RNDr(S, W, 4, 0x3956c25b);
121	2444		RNDr(S, W, 5, 0x59f111f1);
122	2444		RNDr(S, W, 6, 0x923f82a4);
123	2444		RNDr(S, W, 7, 0xab1c5ed5);
124	2444		RNDr(S, W, 8, 0xd807aa98);
125	2444		RNDr(S, W, 9, 0x12835b01);
126	2444		RNDr(S, W, 10, 0x243185be);
127	2444		RNDr(S, W, 11, 0x550c7dc3);
128	2444		RNDr(S, W, 12, 0x72be5d74);
129	2444		RNDr(S, W, 13, 0x80deb1fe);
130	2444		RNDr(S, W, 14, 0x9bdc06a7);
131	2444		RNDr(S, W, 15, 0xc19bf174);
132	2444		RNDr(S, W, 16, 0xe49b69c1);
133	2444		RNDr(S, W, 17, 0xefbe4786);
134	2444		RNDr(S, W, 18, 0x0fc19dc6);
135	2444		RNDr(S, W, 19, 0x240ca1cc);
136	2444		RNDr(S, W, 20, 0x2de92c6f);
137	2444		RNDr(S, W, 21, 0x4a7484aa);
138	2444		RNDr(S, W, 22, 0x5cb0a9dc);
139	2444		RNDr(S, W, 23, 0x76f988da);
140	2444		RNDr(S, W, 24, 0x983e5152);
141	2444		RNDr(S, W, 25, 0xa831c66d);
142	2444		RNDr(S, W, 26, 0xb00327c8);
143	2444		RNDr(S, W, 27, 0xbf597fc7);
144	2444		RNDr(S, W, 28, 0xc6e00bf3);
145	2444		RNDr(S, W, 29, 0xd5a79147);
146	2444		RNDr(S, W, 30, 0x06ca6351);
147	2444		RNDr(S, W, 31, 0x14292967);
148	2444		RNDr(S, W, 32, 0x27b70a85);
149	2444		RNDr(S, W, 33, 0x2e1b2138);
150	2444		RNDr(S, W, 34, 0x4d2c6dfc);
151	2444		RNDr(S, W, 35, 0x53380d13);
152	2444		RNDr(S, W, 36, 0x650a7354);
153	2444		RNDr(S, W, 37, 0x766a0abb);
154	2444		RNDr(S, W, 38, 0x81c2c92e);
155	2444		RNDr(S, W, 39, 0x92722c85);
156	2444		RNDr(S, W, 40, 0xa2bfe8a1);
157	2444		RNDr(S, W, 41, 0xa81a664b);
158	2444		RNDr(S, W, 42, 0xc24b8b70);
159	2444		RNDr(S, W, 43, 0xc76c51a3);
160	2444		RNDr(S, W, 44, 0xd192e819);
161	2444		RNDr(S, W, 45, 0xd6990624);
162	2444		RNDr(S, W, 46, 0xf40e3585);
163	2444		RNDr(S, W, 47, 0x106aa070);
164	2444		RNDr(S, W, 48, 0x19a4c116);
165	2444		RNDr(S, W, 49, 0x1e376c08);
166	2444		RNDr(S, W, 50, 0x2748774c);
167	2444		RNDr(S, W, 51, 0x34b0bcb5);
168	2444		RNDr(S, W, 52, 0x391c0cb3);
169	2444		RNDr(S, W, 53, 0x4ed8aa4a);
170	2444		RNDr(S, W, 54, 0x5b9cca4f);
171	2444		RNDr(S, W, 55, 0x682e6ff3);
172	2444		RNDr(S, W, 56, 0x748f82ee);
173	2444		RNDr(S, W, 57, 0x78a5636f);
174	2444		RNDr(S, W, 58, 0x84c87814);
175	2444		RNDr(S, W, 59, 0x8cc70208);
176	2444		RNDr(S, W, 60, 0x90befffa);
177	2444		RNDr(S, W, 61, 0xa4506ceb);
178	2444		RNDr(S, W, 62, 0xbef9a3f7);
179	2444		RNDr(S, W, 63, 0xc67178f2);
180
181			/* 4. Mix local working variables into global state */
182	21996	100	for (i = 0; i < 8; i++)
183	19552		state[i] += S[i];
184
185			/* Clean the stack. */
186			memset(W, 0, 256);
187			memset(S, 0, 32);
188			t0 = t1 = 0;
189	2444		}
190
191			static unsigned char PAD[64] = {
192			0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
193			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
194			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
195			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
196			};
197
198			/* Add padding and terminating bit-count. */
199			static void
200	1902		SHA256_Pad(SHA256_CTX * ctx)
201			{
202			unsigned char len[8];
203			uint32_t r, plen;
204
205			/*
206			* Convert length to a vector of bytes -- we do this now rather
207			* than later because the length will change after we pad.
208			*/
209	1902		be32enc_vect(len, ctx->count, 8);
210
211			/* Add 1--64 bytes so that the resulting length is 56 mod 64 */
212	1902		r = (ctx->count[1] >> 3) & 0x3f;
213	1902	50	plen = (r < 56) ? (56 - r) : (120 - r);
214	1902		SHA256_Update(ctx, PAD, (size_t)plen);
215
216			/* Add the terminating bit-count */
217	1902		SHA256_Update(ctx, len, 8);
218	1902		}
219
220			/* SHA-256 initialization. Begins a SHA-256 operation. */
221			static void
222			SHA256_Init(SHA256_CTX * ctx)
223			{
224
225			/* Zero bits processed so far */
226	80		ctx->count[0] = ctx->count[1] = 0;
227
228			/* Magic initialization constants */
229	80		ctx->state[0] = 0x6A09E667;
230	80		ctx->state[1] = 0xBB67AE85;
231	80		ctx->state[2] = 0x3C6EF372;
232	80		ctx->state[3] = 0xA54FF53A;
233	80		ctx->state[4] = 0x510E527F;
234	80		ctx->state[5] = 0x9B05688C;
235	80		ctx->state[6] = 0x1F83D9AB;
236	80		ctx->state[7] = 0x5BE0CD19;
237			}
238
239			/* Add bytes into the hash */
240			static void
241	5826		SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len)
242			{
243			uint32_t bitlen[2];
244			uint32_t r;
245			const unsigned char *src = in;
246
247			/* Number of bytes left in the buffer from previous updates */
248	5826		r = (ctx->count[1] >> 3) & 0x3f;
249
250			/* Convert the length into a number of bits */
251	5826		bitlen[1] = ((uint32_t)len) << 3;
252	5826		bitlen[0] = (uint32_t)(len >> 29);
253
254			/* Update number of bits */
255	5826	50	if ((ctx->count[1] += bitlen[1]) < bitlen[1])
256	0		ctx->count[0]++;
257	5826		ctx->count[0] += bitlen[0];
258
259			/* Handle the case where we don't need to perform any transforms */
260	5826	100	if (len < 64 - r) {
261	3824		memcpy(&ctx->buf[r], src, len);
262			return;
263			}
264
265			/* Finish the current block */
266	2002		memcpy(&ctx->buf[r], src, 64 - r);
267	2002		SHA256_Transform(ctx->state, ctx->buf);
268	2002		src += 64 - r;
269	2002		len -= 64 - r;
270
271			/* Perform complete blocks */
272	2444	100	while (len >= 64) {
273	442		SHA256_Transform(ctx->state, src);
274	442		src += 64;
275	442		len -= 64;
276			}
277
278			/* Copy left over data into buffer */
279			memcpy(ctx->buf, src, len);
280			}
281
282			/*
283			* SHA-256 finalization. Pads the input data, exports the hash value,
284			* and clears the context state.
285			*/
286			static void
287	1902		SHA256_Final(unsigned char digest[32], SHA256_CTX * ctx)
288			{
289
290			/* Add padding */
291	1902		SHA256_Pad(ctx);
292
293			/* Write the hash */
294	1902		be32enc_vect(digest, ctx->state, 32);
295
296			/* Clear the context state */
297			memset((void )ctx, 0, sizeof(ctx));
298	1902		}
299
300			/* Initialize an HMAC-SHA256 operation with the given key. */
301			static void
302	40		HMAC_SHA256_Init(HMAC_SHA256_CTX * ctx, const void * _K, size_t Klen)
303			{
304			unsigned char pad[64];
305			unsigned char khash[32];
306			const unsigned char * K = _K;
307			size_t i;
308
309			/* If Klen > 64, the key is really SHA256(K). */
310	40	50	if (Klen > 64) {
311			SHA256_Init(&ctx->ictx);
312	0		SHA256_Update(&ctx->ictx, K, Klen);
313	0		SHA256_Final(khash, &ctx->ictx);
314			K = khash;
315			Klen = 32;
316			}
317
318			/* Inner SHA256 operation is SHA256(K xor [block of 0x36] \|\| data). */
319			SHA256_Init(&ctx->ictx);
320			memset(pad, 0x36, 64);
321	230	100	for (i = 0; i < Klen; i++)
322	190		pad[i] ^= K[i];
323	40		SHA256_Update(&ctx->ictx, pad, 64);
324
325			/* Outer SHA256 operation is SHA256(K xor [block of 0x5c] \|\| hash). */
326			SHA256_Init(&ctx->octx);
327			memset(pad, 0x5c, 64);
328	230	100	for (i = 0; i < Klen; i++)
329	190		pad[i] ^= K[i];
330	40		SHA256_Update(&ctx->octx, pad, 64);
331
332			/* Clean the stack. */
333			memset(khash, 0, 32);
334	40		}
335
336			/* Add bytes to the HMAC-SHA256 operation. */
337			static void
338			HMAC_SHA256_Update(HMAC_SHA256_CTX * ctx, const void *in, size_t len)
339			{
340
341			/* Feed data to the inner SHA256 operation. */
342	991		SHA256_Update(&ctx->ictx, in, len);
343			}
344
345			/* Finish an HMAC-SHA256 operation. */
346			static void
347	951		HMAC_SHA256_Final(unsigned char digest[32], HMAC_SHA256_CTX * ctx)
348			{
349			unsigned char ihash[32];
350
351			/* Finish the inner SHA256 operation. */
352	951		SHA256_Final(ihash, &ctx->ictx);
353
354			/* Feed the inner hash to the outer SHA256 operation. */
355	951		SHA256_Update(&ctx->octx, ihash, 32);
356
357			/* Finish the outer SHA256 operation. */
358	951		SHA256_Final(digest, &ctx->octx);
359
360			/* Clean the stack. */
361			memset(ihash, 0, 32);
362	951		}
363
364			/**
365			* PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
366			* Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
367			* write the output to buf. The value dkLen must be at most 32 * (2^32 - 1).
368			*/
369			static void
370	40		PBKDF2_SHA256(const uint8_t * passwd, size_t passwdlen, const uint8_t * salt,
371			size_t saltlen, uint64_t c, uint8_t * buf, size_t dkLen)
372			{
373			HMAC_SHA256_CTX PShctx, hctx;
374			size_t i;
375			uint8_t ivec[4];
376			uint8_t U[32];
377			uint8_t T[32];
378			uint64_t j;
379			int k;
380			size_t clen;
381
382			/* Compute HMAC state after processing P and S. */
383	40		HMAC_SHA256_Init(&PShctx, passwd, passwdlen);
384			HMAC_SHA256_Update(&PShctx, salt, saltlen);
385
386			/* Iterate through the blocks. */
387	991	100	for (i = 0; i * 32 < dkLen; i++) {
388			/* Generate INT(i + 1). */
389	951		be32enc(ivec, (uint32_t)(i + 1));
390
391			/* Compute U_1 = PRF(P, S \|\| INT(i)). */
392			memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX));
393			HMAC_SHA256_Update(&hctx, ivec, 4);
394	951		HMAC_SHA256_Final(U, &hctx);
395
396			/* T_i = U_1 ... */
397			memcpy(T, U, 32);
398
399	951	50	for (j = 2; j <= c; j++) {
400			/* Compute U_j. */
401	0		HMAC_SHA256_Init(&hctx, passwd, passwdlen);
402			HMAC_SHA256_Update(&hctx, U, 32);
403	0		HMAC_SHA256_Final(U, &hctx);
404
405			/* ... xor U_j ... */
406	0	0	for (k = 0; k < 32; k++)
407	0		T[k] ^= U[k];
408			}
409
410			/* Copy as many bytes as necessary into buf. */
411	951		clen = dkLen - i * 32;
412	951		if (clen > 32)
413			clen = 32;
414	951		memcpy(&buf[i * 32], T, clen);
415			}
416
417			/* Clean PShctx, since we never called _Final on it. */
418			memset(&PShctx, 0, sizeof(HMAC_SHA256_CTX));
419	40		}