hash: implement SHA-{224,256}

Add the HMAC and Wycheproof bits for HMAC while at it.
This commit is contained in:
Lucas Gabriel Vuotto 2024-06-07 03:14:21 +00:00
parent 0605d10bb3
commit 1a8f813442
11 changed files with 521 additions and 3 deletions

View File

@ -1,8 +1,8 @@
LC_SRCS+= aead.c aead_chacha20_poly1305.c
LC_SRCS+= auth.c auth_hmac.c auth_poly1305.c
LC_SRCS+= cipher.c cipher_chacha20.c
LC_SRCS+= hash.c hash_sha384_sha512.c
LC_SRCS+= impl_chacha20.c impl_poly1305.c impl_sha512.c
LC_SRCS+= hash.c hash_sha224_sha256.c hash_sha384_sha512.c
LC_SRCS+= impl_chacha20.c impl_poly1305.c impl_sha256.c impl_sha512.c
LC_SRCS+= ct.c util.c
WARNINGS= Yes

3
README
View File

@ -20,6 +20,8 @@ Utilities
Hash
----
- [x] SHA-224
- [x] SHA-256
- [x] SHA-384
- [x] SHA-512 (needed for Ed25519)
@ -61,7 +63,6 @@ Utilities
Hash
----
- [ ] SHA-256 & SHA-224 (the latter is a truncated form of the former)
- [ ] SHA-512/224 & SHA-512/256 (most of the work done)
Authentication

View File

@ -21,6 +21,7 @@
#include "hash.h"
#include "auth_hmac.h"
#include "impl_hmac.h"
#include "impl_sha256.h"
#include "impl_sha512.h"
#include "util.h"
@ -57,6 +58,16 @@ hmac_common_init(void *arg, const uint8_t *key, size_t keylen)
lc_hash_update(ctx->hctx, ikeypad, ctx->blocksz);
}
int
hmac_sha224_sha256_init(void *arg, const uint8_t *key, size_t keylen)
{
struct hmac_ctx *ctx = arg;
ctx->blocksz = SHA256_CHUNK;
return hmac_common_init(ctx, key, keylen);
}
int
hmac_sha384_sha512_init(void *arg, const uint8_t *key, size_t keylen)
{
@ -124,6 +135,18 @@ hmac_common_ctx_new(const struct lc_hash_impl *impl)
return ctx;
}
static void *
hmac_sha224_ctx_new(void)
{
return hmac_common_ctx_new(lc_hash_impl_sha224());
}
static void *
hmac_sha256_ctx_new(void)
{
return hmac_common_ctx_new(lc_hash_impl_sha256());
}
static void *
hmac_sha384_ctx_new(void)
{
@ -146,6 +169,26 @@ hmac_ctx_free(void *arg)
}
static struct lc_auth_impl hmac_sha224_impl = {
.init = &hmac_sha224_sha256_init,
.update = &hmac_update,
.final = &hmac_final,
.auth = NULL,
.ctx_new = &hmac_sha224_ctx_new,
.ctx_free = &hmac_ctx_free,
};
static struct lc_auth_impl hmac_sha256_impl = {
.init = &hmac_sha224_sha256_init,
.update = &hmac_update,
.final = &hmac_final,
.auth = NULL,
.ctx_new = &hmac_sha256_ctx_new,
.ctx_free = &hmac_ctx_free,
};
static struct lc_auth_impl hmac_sha384_impl = {
.init = &hmac_sha384_sha512_init,
.update = &hmac_update,
@ -166,6 +209,18 @@ static struct lc_auth_impl hmac_sha512_impl = {
.ctx_free = &hmac_ctx_free,
};
const struct lc_auth_impl *
lc_auth_impl_hmac_sha224(void)
{
return &hmac_sha224_impl;
}
const struct lc_auth_impl *
lc_auth_impl_hmac_sha256(void)
{
return &hmac_sha256_impl;
}
const struct lc_auth_impl *
lc_auth_impl_hmac_sha384(void)
{

View File

@ -18,6 +18,7 @@
#include <stdint.h>
int hmac_sha224_sha256_init(void *, const uint8_t *, size_t);
int hmac_sha384_sha512_init(void *, const uint8_t *, size_t);
int hmac_update(void *, const uint8_t *, size_t);
int hmac_final(void *, uint8_t *, size_t *);

293
hash_sha224_sha256.c Normal file
View File

@ -0,0 +1,293 @@
/*
* Copyright (c) 2024 Lucas Gabriel Vuotto <lucas@lgv5.net>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <stdlib.h>
#include "lilcrypto.h"
#include "hash.h"
#include "hash_sha224_sha256.h"
#include "impl_sha256.h"
#include "util.h"
/*
* SHA-224 and SHA-256 implementations.
*
* This implementation doesn't support arbitrary amounts of bits, but only full
* bytes sizes. In particular, size is stored in bytes until the length has to
* be appended to the input. This is done to simplify overflow checks for input
* length.
*/
#define SHA256_SZ_MAX UINT32_C(0x1fffffff) /* 2^29 - 1 */
#define SHA224_H0_0 UINT32_C(0xc1059ed8)
#define SHA224_H0_1 UINT32_C(0x367cd507)
#define SHA224_H0_2 UINT32_C(0x3070dd17)
#define SHA224_H0_3 UINT32_C(0xf70e5939)
#define SHA224_H0_4 UINT32_C(0xffc00b31)
#define SHA224_H0_5 UINT32_C(0x68581511)
#define SHA224_H0_6 UINT32_C(0x64f98fa7)
#define SHA224_H0_7 UINT32_C(0xbefa4fa4)
#define SHA256_H0_0 UINT32_C(0x6a09e667)
#define SHA256_H0_1 UINT32_C(0xbb67ae85)
#define SHA256_H0_2 UINT32_C(0x3c6ef372)
#define SHA256_H0_3 UINT32_C(0xa54ff53a)
#define SHA256_H0_4 UINT32_C(0x510e527f)
#define SHA256_H0_5 UINT32_C(0x9b05688c)
#define SHA256_H0_6 UINT32_C(0x1f83d9ab)
#define SHA256_H0_7 UINT32_C(0x5be0cd19)
int
sha224_init(void *arg)
{
struct sha256_ctx *ctx = arg;
size_t i;
ctx->h0 = SHA224_H0_0;
ctx->h1 = SHA224_H0_1;
ctx->h2 = SHA224_H0_2;
ctx->h3 = SHA224_H0_3;
ctx->h4 = SHA224_H0_4;
ctx->h5 = SHA224_H0_5;
ctx->h6 = SHA224_H0_6;
ctx->h7 = SHA224_H0_7;
ctx->sz = 0;
ctx->mlen = 0;
for (i = 0; i < SHA256_CHUNK; i++)
ctx->m[i] = 0;
return 1;
}
int
sha256_init(void *arg)
{
struct sha256_ctx *ctx = arg;
size_t i;
ctx->h0 = SHA256_H0_0;
ctx->h1 = SHA256_H0_1;
ctx->h2 = SHA256_H0_2;
ctx->h3 = SHA256_H0_3;
ctx->h4 = SHA256_H0_4;
ctx->h5 = SHA256_H0_5;
ctx->h6 = SHA256_H0_6;
ctx->h7 = SHA256_H0_7;
ctx->sz = 0;
ctx->mlen = 0;
for (i = 0; i < SHA256_CHUNK; i++)
ctx->m[i] = 0;
return 1;
}
static int
sha224_sha256_update(void *arg, const uint8_t *in, size_t inlen)
{
struct sha256_ctx *ctx = arg;
size_t i;
if (inlen > SHA256_SZ_MAX - ctx->sz)
return 0;
ctx->sz += inlen;
for (i = 0; i + ctx->mlen < SHA256_CHUNK && i < inlen; i++)
ctx->m[i + ctx->mlen] = in[i];
ctx->mlen += i;
in += i;
inlen -= i;
if (ctx->mlen == SHA256_CHUNK) {
sha256_block(ctx);
ctx->mlen = 0;
}
if (inlen == 0)
return 1;
while (inlen >= SHA256_CHUNK) {
for (i = 0; i < SHA256_CHUNK; i++)
ctx->m[i] = in[i];
in += i;
inlen -= i;
sha256_block(ctx);
}
for (i = 0; i < inlen; i++)
ctx->m[i] = in[i];
ctx->mlen = inlen;
return 1;
}
int
sha224_update(void *arg, const uint8_t *in, size_t inlen)
{
return sha224_sha256_update(arg, in, inlen);
}
int
sha256_update(void *arg, const uint8_t *in, size_t inlen)
{
return sha224_sha256_update(arg, in, inlen);
}
static void
sha224_sha256_final(struct sha256_ctx *ctx)
{
size_t i, mlen;
mlen = ctx->mlen;
ctx->m[mlen++] = 0x80;
if (mlen >= SHA256_CHUNK - sizeof(uint64_t)) {
for (i = mlen; i < SHA256_CHUNK; i++)
ctx->m[i] = 0;
sha256_block(ctx);
mlen = 0;
}
for (i = mlen; i < SHA256_CHUNK - sizeof(uint64_t); i++)
ctx->m[i] = 0;
store64be(&ctx->m[i], ctx->sz << 3);
sha256_block(ctx);
}
int
sha224_final(void *arg, uint8_t *out, size_t *outlen)
{
struct sha256_ctx *ctx = arg;
*outlen = LC_SHA224_HASHLEN;
if (out == NULL)
return 1;
sha224_sha256_final(ctx);
store32be(out, ctx->h0);
store32be(out + 4, ctx->h1);
store32be(out + 8, ctx->h2);
store32be(out + 12, ctx->h3);
store32be(out + 16, ctx->h4);
store32be(out + 20, ctx->h5);
store32be(out + 24, ctx->h6);
lc_scrub(ctx, sizeof(*ctx));
return 1;
}
int
sha256_final(void *arg, uint8_t *out, size_t *outlen)
{
struct sha256_ctx *ctx = arg;
*outlen = LC_SHA256_HASHLEN;
if (out == NULL)
return 1;
sha224_sha256_final(ctx);
store32be(out, ctx->h0);
store32be(out + 4, ctx->h1);
store32be(out + 8, ctx->h2);
store32be(out + 12, ctx->h3);
store32be(out + 16, ctx->h4);
store32be(out + 20, ctx->h5);
store32be(out + 24, ctx->h6);
store32be(out + 28, ctx->h7);
lc_scrub(ctx, sizeof(*ctx));
return 1;
}
static int
sha224_hash(uint8_t *out, size_t *outlen, const uint8_t *in, size_t inlen)
{
struct sha256_ctx ctx;
if (out == NULL) {
*outlen = LC_SHA224_HASHLEN;
return 1;
}
return sha224_init(&ctx) &&
sha224_update(&ctx, in, inlen) &&
sha224_final(&ctx, out, outlen);
}
static int
sha256_hash(uint8_t *out, size_t *outlen, const uint8_t *in, size_t inlen)
{
struct sha256_ctx ctx;
if (out == NULL) {
*outlen = LC_SHA256_HASHLEN;
return 1;
}
return sha256_init(&ctx) &&
sha256_update(&ctx, in, inlen) &&
sha256_final(&ctx, out, outlen);
}
static void *
sha224_sha256_ctx_new(void)
{
return malloc(sizeof(struct sha256_ctx));
}
static struct lc_hash_impl sha224_impl = {
.init = &sha224_init,
.update = &sha224_update,
.final = &sha224_final,
.hash = &sha224_hash,
.ctx_new = &sha224_sha256_ctx_new,
.ctx_free = NULL,
};
static struct lc_hash_impl sha256_impl = {
.init = &sha256_init,
.update = &sha256_update,
.final = &sha256_final,
.hash = &sha256_hash,
.ctx_new = &sha224_sha256_ctx_new,
.ctx_free = NULL,
};
const struct lc_hash_impl *
lc_hash_impl_sha224(void)
{
return &sha224_impl;
}
const struct lc_hash_impl *
lc_hash_impl_sha256(void)
{
return &sha256_impl;
}

27
hash_sha224_sha256.h Normal file
View File

@ -0,0 +1,27 @@
/*
* Copyright (c) 2024 Lucas Gabriel Vuotto <lucas@lgv5.net>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <stddef.h>
#include <stdint.h>
int sha224_init(void *);
int sha224_update(void *, const uint8_t *, size_t);
int sha224_final(void *, uint8_t *, size_t *);
int sha256_init(void *);
int sha256_update(void *, const uint8_t *, size_t);
int sha256_final(void *, uint8_t *, size_t *);

93
impl_sha256.c Normal file
View File

@ -0,0 +1,93 @@
/*
* Copyright (c) 2024 Lucas Gabriel Vuotto <lucas@lgv5.net>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <stddef.h>
#include <stdint.h>
#include "impl_sha256.h"
#include "util.h"
static const uint32_t K[SHA256_ROUNDS] = {
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,
};
#define CH(x, y, z) ((x & y) ^ (~x & z))
#define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
#define BSIG0(x) (rotr32(x, 2) ^ rotr32(x, 13) ^ rotr32(x, 22))
#define BSIG1(x) (rotr32(x, 6) ^ rotr32(x, 11) ^ rotr32(x, 25))
#define SSIG0(x) (rotr32(x, 7) ^ rotr32(x, 18) ^ (x >> 3))
#define SSIG1(x) (rotr32(x, 17) ^ rotr32(x, 19) ^ (x >> 10))
void
sha256_block(struct sha256_ctx *ctx)
{
uint32_t m[SHA256_CHUNK_WORDS], W[SHA256_ROUNDS];
uint32_t a, b, c, d, e, f, g, h, T1, T2;
size_t i;
for (i = 0; i < SHA256_CHUNK_WORDS; i++)
W[i] = m[i] = load32be(&ctx->m[i * 4]);
for (; i < SHA256_ROUNDS; i++)
W[i] = SSIG1(W[i - 2]) + W[i - 7] + SSIG0(W[i - 15]) +
W[i - 16];
a = ctx->h0;
b = ctx->h1;
c = ctx->h2;
d = ctx->h3;
e = ctx->h4;
f = ctx->h5;
g = ctx->h6;
h = ctx->h7;
for (i = 0; i < SHA256_ROUNDS; i++) {
T1 = h + BSIG1(e) + CH(e, f, g) + K[i] + W[i];
T2 = BSIG0(a) + MAJ(a, b, c);
h = g;
g = f;
f = e;
e = d + T1;
d = c;
c = b;
b = a;
a = T1 + T2;
}
ctx->h0 += a;
ctx->h1 += b;
ctx->h2 += c;
ctx->h3 += d;
ctx->h4 += e;
ctx->h5 += f;
ctx->h6 += g;
ctx->h7 += h;
}

36
impl_sha256.h Normal file
View File

@ -0,0 +1,36 @@
/*
* Copyright (c) 2024 Lucas Gabriel Vuotto <lucas@lgv5.net>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <stddef.h>
#include <stdint.h>
#include "lilcrypto.h"
#define SHA256_CHUNK 64
#define SHA256_CHUNK_WORDS (SHA256_CHUNK / sizeof(uint32_t))
#define SHA256_ROUNDS 64
struct sha256_ctx {
uint32_t h0, h1, h2, h3, h4, h5, h6, h7;
uint64_t sz;
size_t mlen;
uint8_t m[SHA256_CHUNK];
};
void sha256_block(struct sha256_ctx *);

View File

@ -24,6 +24,8 @@
*/
/* Hashes. */
#define LC_SHA224_HASHLEN 28
#define LC_SHA256_HASHLEN 32
#define LC_SHA384_HASHLEN 48
#define LC_SHA512_HASHLEN 64
@ -62,6 +64,8 @@ int lc_hash(const struct lc_hash_impl *, uint8_t *, size_t *,
struct lc_hash_ctx *lc_hash_ctx_new(const struct lc_hash_impl *);
void lc_hash_ctx_free(struct lc_hash_ctx *);
const struct lc_hash_impl *lc_hash_impl_sha224(void);
const struct lc_hash_impl *lc_hash_impl_sha256(void);
const struct lc_hash_impl *lc_hash_impl_sha384(void);
const struct lc_hash_impl *lc_hash_impl_sha512(void);
@ -84,6 +88,8 @@ struct lc_auth_ctx *lc_auth_ctx_new(const struct lc_auth_impl *);
void lc_auth_ctx_free(struct lc_auth_ctx *);
const struct lc_auth_impl *lc_auth_impl_poly1305(void);
const struct lc_auth_impl *lc_auth_impl_hmac_sha224(void);
const struct lc_auth_impl *lc_auth_impl_hmac_sha256(void);
const struct lc_auth_impl *lc_auth_impl_hmac_sha384(void);
const struct lc_auth_impl *lc_auth_impl_hmac_sha512(void);

View File

@ -33,6 +33,10 @@ tests-mac:
.endif
.for p in ${MAC}
perl ${.CURDIR}/mac.pl ${TESTOPTS} -x ./${p} \
${WYCHEPROOF_DIR}/testvectors/hmac_sha224_test.json \
${WYCHEPROOF_DIR}/testvectors_v1/hmac_sha224_test.json \
${WYCHEPROOF_DIR}/testvectors/hmac_sha256_test.json \
${WYCHEPROOF_DIR}/testvectors_v1/hmac_sha256_test.json \
${WYCHEPROOF_DIR}/testvectors/hmac_sha384_test.json \
${WYCHEPROOF_DIR}/testvectors_v1/hmac_sha384_test.json \
${WYCHEPROOF_DIR}/testvectors/hmac_sha512_test.json \

View File

@ -79,6 +79,8 @@ kw2impl(const char *s)
{
/* Needs to be sorted. */
static const struct kwimpl tbl[] = {
{ "HMACSHA224", &lc_auth_impl_hmac_sha224 },
{ "HMACSHA256", &lc_auth_impl_hmac_sha256 },
{ "HMACSHA384", &lc_auth_impl_hmac_sha384 },
{ "HMACSHA512", &lc_auth_impl_hmac_sha512 },
};