1 /*
2  * Copyright (c) 2023 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 //! This module implements the SHA256 hash algorithm.
17 
18 const LOWER_BYTES_MASK: u32 = 0xff;
19 const BITS_PER_U8: usize = 8;
20 const U8_PER_U32: usize = 4;
21 const SHA256_LEN: usize = 32;
22 const BYTES_PER_CHUNK: usize = 64;
23 
24 const SHA256_H: [u32; 8] =
25     [0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19];
26 
27 const SHA256_K: [u32; 64] = [
28     0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98,
29     0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
30     0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 0xa831c66d, 0xb00327c8,
31     0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
32     0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819,
33     0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
34     0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7,
35     0xc67178f2,
36 ];
37 
38 fn expand_chunk(plain_chunk: [u8; BYTES_PER_CHUNK]) -> [u32; BYTES_PER_CHUNK] {
39     let mut expanded_chunk = [0; BYTES_PER_CHUNK];
40     for (i, item) in expanded_chunk.iter_mut().enumerate().take(16) {
41         let offset = i * U8_PER_U32;
42         *item = ((plain_chunk[offset] as u32) << 24)
43             | ((plain_chunk[offset + 1] as u32) << 16)
44             | ((plain_chunk[offset + 2] as u32) << 8)
45             | (plain_chunk[offset + 3] as u32);
46     }
47 
48     for i in 16..64 {
49         let s0 = expanded_chunk[i - 15].rotate_right(7)
50             ^ expanded_chunk[i - 15].rotate_right(18)
51             ^ (expanded_chunk[i - 15] >> 3);
52         let s1 = expanded_chunk[i - 2].rotate_right(17)
53             ^ expanded_chunk[i - 2].rotate_right(19)
54             ^ (expanded_chunk[i - 2] >> 10);
55         expanded_chunk[i] =
56             expanded_chunk[i - 16].wrapping_add(s0).wrapping_add(expanded_chunk[i - 7]).wrapping_add(s1);
57     }
58     expanded_chunk
59 }
60 
61 fn compress_chunk(expanded_chunk: [u32; 64]) -> [u32; 8] {
62     let mut compressed_chunk: [u32; 8] = SHA256_H;
63     for i in 0..64 {
64         let s1 = compressed_chunk[4].rotate_right(6)
65             ^ compressed_chunk[4].rotate_right(11)
66             ^ compressed_chunk[4].rotate_right(25);
67         let choose = (compressed_chunk[4] & compressed_chunk[5]) ^ ((!compressed_chunk[4]) & compressed_chunk[6]);
68         let temp1 = compressed_chunk[7]
69             .wrapping_add(s1)
70             .wrapping_add(choose)
71             .wrapping_add(SHA256_K[i])
72             .wrapping_add(expanded_chunk[i]);
73         let s0 = compressed_chunk[0].rotate_right(2)
74             ^ compressed_chunk[0].rotate_right(13)
75             ^ compressed_chunk[0].rotate_right(22);
76         let major = (compressed_chunk[0] & compressed_chunk[1])
77             ^ (compressed_chunk[0] & compressed_chunk[2])
78             ^ (compressed_chunk[1] & compressed_chunk[2]);
79         let temp2 = s0.wrapping_add(major);
80         compressed_chunk[7] = compressed_chunk[6];
81         compressed_chunk[6] = compressed_chunk[5];
82         compressed_chunk[5] = compressed_chunk[4];
83         compressed_chunk[4] = compressed_chunk[3].wrapping_add(temp1);
84         compressed_chunk[3] = compressed_chunk[2];
85         compressed_chunk[2] = compressed_chunk[1];
86         compressed_chunk[1] = compressed_chunk[0];
87         compressed_chunk[0] = temp1.wrapping_add(temp2);
88     }
89     compressed_chunk
90 }
91 
compress(input_bytes: &[u8]) -> [u3292 fn compress(input_bytes: &[u8]) -> [u32; 8] {
93     let mut compress = SHA256_H;
94     let chunk_num = input_bytes.len() / BYTES_PER_CHUNK;
95     for i in 0..chunk_num {
96         // the try_into of array cannot be failed, for the length of plain_chunk is sure to be 64 as expected
97         let expanded_chunk =
98             expand_chunk(input_bytes[i * BYTES_PER_CHUNK..(i + 1) * BYTES_PER_CHUNK].try_into().unwrap());
99         let compressed_chunk: [u32; 8] = compress_chunk(expanded_chunk);
100         for j in 0..8 {
101             compress[j] = compress[j].wrapping_add(compressed_chunk[j]);
102         }
103     }
104     compress
105 }
106 
pre_process_msg(message: &[u8]) -> Vec<u8>107 fn pre_process_msg(message: &[u8]) -> Vec<u8> {
108     // padding
109     let mut message = message.to_vec();
110     let msg_len = message.len();
111     let padding_len =
112         if msg_len % BYTES_PER_CHUNK < 56 { 56 - msg_len % BYTES_PER_CHUNK } else { 120 - msg_len % BYTES_PER_CHUNK };
113 
114     message.push(0x80); // 1000 0000
115     message.append(&mut vec![0x00; padding_len - 1]);
116 
117     let msg_bit_len = msg_len * BITS_PER_U8;
118     for i in 0..8 {
119         let split_byte = ((msg_bit_len >> (56 - i * BITS_PER_U8)) & LOWER_BYTES_MASK as usize) as u8;
120         message.push(split_byte);
121     }
122     message
123 }
124 
125 fn into_vec_u8(hash: &[u32; 8]) -> Vec<u8> {
126     let mut ret = [0; SHA256_LEN];
127     for i in 0..hash.len() {
128         ret[i * U8_PER_U32] = ((hash[i] >> 24) & LOWER_BYTES_MASK) as u8;
129         ret[i * U8_PER_U32 + 1] = ((hash[i] >> 16) & LOWER_BYTES_MASK) as u8;
130         ret[i * U8_PER_U32 + 2] = ((hash[i] >> 8) & LOWER_BYTES_MASK) as u8;
131         ret[i * U8_PER_U32 + 3] = (hash[i] & LOWER_BYTES_MASK) as u8;
132     }
133 
134     ret.to_vec()
135 }
136 
137 extern "C" {
Sha256(input: *const u8, input_len: u32, output: *mut u8)138     fn Sha256(input: *const u8, input_len: u32, output: *mut u8);
139 }
140 
141 const SHA256_OUTPUT_LEN: usize = 32;
142 
143 /// the function to execute sha256 by openssl.
sha256_new(message: &[u8]) -> Vec<u8>144 fn sha256_new(message: &[u8]) -> Vec<u8> {
145     let mut res = vec![0; SHA256_OUTPUT_LEN];
146     unsafe { Sha256(message.as_ptr(), message.len() as u32, res.as_mut_ptr()) }
147     res
148 }
149 
150 /// the function to execute sha256 by self-implemented.
sha256_old(message: &[u8]) -> Vec<u8>151 fn sha256_old(message: &[u8]) -> Vec<u8> {
152     let processed_msg = pre_process_msg(message);
153     into_vec_u8(&compress(&processed_msg))
154 }
155 
156 /// the function to execute sha256
sha256(standard: bool, message: &[u8]) -> Vec<u8>157 pub fn sha256(standard: bool, message: &[u8]) -> Vec<u8> {
158     if standard {
159         return sha256_new(message);
160     }
161 
162     sha256_old(message)
163 }