File: system\security\cryptography\sha256managed.cs
Project: ndp\clr\src\bcl\mscorlib.csproj (mscorlib)
// ==++==
// 
//   Copyright (c) Microsoft Corporation.  All rights reserved.
// 
// ==--==
// <OWNER>Microsoft</OWNER>
// 
 
//
// SHA256Managed.cs
//
// C# implementation of the proposed SHA-256 hash algorithm
//
 
namespace System.Security.Cryptography {
    using System;
    using System.Security;
    using System.Diagnostics.Contracts;
 
    [System.Runtime.InteropServices.ComVisible(true)]
    public class SHA256Managed : SHA256
    {
        private SHA256   _impl;
        private byte[]   _buffer;
        private long     _count; // Number of bytes in the hashed message
        private UInt32[] _stateSHA256;
        private UInt32[] _W;
 
        //
        // public constructors
        //
 
        public SHA256Managed()
        {
#if FEATURE_CRYPTO
            // .NET Framework 2.0 - 4.7.2 rejected all managed implementations when in FIPS mode
            // because the implementations are not certified. This causes problems for users who
            // need to run in FIPS mode when applications or libraries were written on systems
            // which did not.
            //
            // Rather than throw an Exception that an uncertified implementation is in use, the
            // behavior now is to shim into a wrapper over the Windows implementation in the
            // managed types.
            if (CryptoConfig.AllowOnlyFipsAlgorithms && AppContextSwitches.UseLegacyFipsThrow)
                throw new InvalidOperationException(Environment.GetResourceString("Cryptography_NonCompliantFIPSAlgorithm"));
            Contract.EndContractBlock();
#endif // FEATURE_CRYPTO
 
            if (CryptoConfig.AllowOnlyFipsAlgorithms) {
                _impl = SHA256.Create();
            } else {
                _stateSHA256 = new UInt32[8];
                _buffer = new byte[64];
                _W = new UInt32[64];
 
                InitializeState();
            }
        }
 
        //
        // public methods
        //
 
        public override void Initialize() {
            if (_impl != null) {
                _impl.Initialize();
            } else {
                InitializeState();
 
                // Zeroize potentially sensitive information.
                Array.Clear(_buffer, 0, _buffer.Length);
                Array.Clear(_W, 0, _W.Length);
            }
        }
 
        protected override void HashCore(byte[] rgb, int ibStart, int cbSize) {
            if (_impl != null) {
                _impl.TransformBlock(rgb, ibStart, cbSize, null, 0);
            } else {
                _HashData(rgb, ibStart, cbSize);
            }
        }
 
        protected override byte[] HashFinal() {
            if (_impl != null) {
                _impl.TransformFinalBlock(Array.Empty<byte>(), 0, 0);
                return _impl.Hash;
            }
 
            return _EndHash();
        }
 
        protected override void Dispose(bool disposing) {
            if (disposing) {
                if (_impl != null) {
                    _impl.Dispose();
                    // Don't null this out, or we exit "shimming mode".
                }
            }
 
            base.Dispose(disposing);
        }
 
        //
        // private methods
        //
 
        private void InitializeState() {
            _count = 0;
 
            _stateSHA256[0] = 0x6a09e667;
            _stateSHA256[1] = 0xbb67ae85;
            _stateSHA256[2] = 0x3c6ef372;
            _stateSHA256[3] = 0xa54ff53a;
            _stateSHA256[4] = 0x510e527f;
            _stateSHA256[5] = 0x9b05688c;
            _stateSHA256[6] = 0x1f83d9ab;
            _stateSHA256[7] = 0x5be0cd19;
        }
 
        /* SHA256 block update operation. Continues an SHA message-digest
           operation, processing another message block, and updating the
           context.
           */
 
        [System.Security.SecuritySafeCritical]  // auto-generated
        private unsafe void _HashData(byte[] partIn, int ibStart, int cbSize)
        {
            int bufferLen;
            int partInLen = cbSize;
            int partInBase = ibStart;
 
            /* Compute length of buffer */
            bufferLen = (int) (_count & 0x3f);
 
            /* Update number of bytes */
            _count += partInLen;
 
            fixed (uint* stateSHA256 = _stateSHA256) {
                fixed (byte* buffer = _buffer) {
                    fixed (uint* expandedBuffer = _W) {
                        if ((bufferLen > 0) && (bufferLen + partInLen >= 64)) {
                            Buffer.InternalBlockCopy(partIn, partInBase, _buffer, bufferLen, 64 - bufferLen);
                            partInBase += (64 - bufferLen);
                            partInLen -= (64 - bufferLen);
                            SHATransform(expandedBuffer, stateSHA256, buffer);
                            bufferLen = 0;
                        }
 
                        /* Copy input to temporary buffer and hash */
                        while (partInLen >= 64) {
                            Buffer.InternalBlockCopy(partIn, partInBase, _buffer, 0, 64);
                            partInBase += 64;
                            partInLen -= 64;
                            SHATransform(expandedBuffer, stateSHA256, buffer);
                        }
 
                        if (partInLen > 0) {
                            Buffer.InternalBlockCopy(partIn, partInBase, _buffer, bufferLen, partInLen);
                        }
                    }
                }
            }
        }
 
        /* SHA256 finalization. Ends an SHA256 message-digest operation, writing
           the message digest.
           */
 
        private byte[] _EndHash()
        {
            byte[]         pad;
            int            padLen;
            long           bitCount;
            byte[]         hash = new byte[32]; // HashSizeValue = 256
 
            /* Compute padding: 80 00 00 ... 00 00 <bit count>
             */
 
            padLen = 64 - (int)(_count & 0x3f);
            if (padLen <= 8)
                padLen += 64;
 
            pad = new byte[padLen];
            pad[0] = 0x80;
 
            //  Convert count to bit count
            bitCount = _count * 8;
 
            pad[padLen-8] = (byte) ((bitCount >> 56) & 0xff);
            pad[padLen-7] = (byte) ((bitCount >> 48) & 0xff);
            pad[padLen-6] = (byte) ((bitCount >> 40) & 0xff);
            pad[padLen-5] = (byte) ((bitCount >> 32) & 0xff);
            pad[padLen-4] = (byte) ((bitCount >> 24) & 0xff);
            pad[padLen-3] = (byte) ((bitCount >> 16) & 0xff);
            pad[padLen-2] = (byte) ((bitCount >> 8) & 0xff);
            pad[padLen-1] = (byte) ((bitCount >> 0) & 0xff);
 
            /* Digest padding */
            _HashData(pad, 0, pad.Length);
 
            /* Store digest */
            Utils.DWORDToBigEndian (hash, _stateSHA256, 8);
 
            HashValue = hash;
            return hash;
        }
 
        private readonly static UInt32[] _K = {
            0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
            0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
            0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
            0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
            0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
            0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
            0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
            0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
            0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
            0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
            0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
            0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
            0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
            0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
            0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
            0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
        };
 
        [System.Security.SecurityCritical]  // auto-generated
        private static unsafe void SHATransform (uint* expandedBuffer, uint* state, byte* block)
        {
            UInt32 a, b, c, d, e, f, h, g;
            UInt32 aa, bb, cc, dd, ee, ff, hh, gg;
            UInt32 T1;
 
            a = state[0];
            b = state[1];
            c = state[2];
            d = state[3];
            e = state[4];
            f = state[5];
            g = state[6];
            h = state[7];
 
            // fill in the first 16 bytes of W.
            Utils.DWORDFromBigEndian(expandedBuffer, 16, block);
            SHA256Expand(expandedBuffer);
 
            /* Apply the SHA256 compression function */
            // We are trying to be smart here and avoid as many copies as we can
            // The perf gain with this method over the straightforward modify and shift 
            // forward is >= 20%, so it's worth the pain
            for (int j=0; j<64; ) {
                T1 = h + Sigma_1(e) + Ch(e,f,g) + _K[j] + expandedBuffer[j];
                ee = d + T1;
                aa = T1 + Sigma_0(a) + Maj(a,b,c);
                j++;
 
                T1 = g + Sigma_1(ee) + Ch(ee,e,f) + _K[j] + expandedBuffer[j];
                ff = c + T1;
                bb = T1 + Sigma_0(aa) + Maj(aa,a,b);
                j++;
 
                T1 = f + Sigma_1(ff) + Ch(ff,ee,e) + _K[j] + expandedBuffer[j];
                gg = b + T1;
                cc = T1 + Sigma_0(bb) + Maj(bb,aa,a);
                j++;
 
                T1 = e + Sigma_1(gg) + Ch(gg,ff,ee) + _K[j] + expandedBuffer[j];
                hh = a + T1;
                dd = T1 + Sigma_0(cc) + Maj(cc,bb,aa);
                j++;
 
                T1 = ee + Sigma_1(hh) + Ch(hh,gg,ff) + _K[j] + expandedBuffer[j];
                h = aa + T1;
                d = T1 + Sigma_0(dd) + Maj(dd,cc,bb);
                j++;
 
                T1 = ff + Sigma_1(h) + Ch(h,hh,gg) + _K[j] + expandedBuffer[j];
                g = bb + T1;
                c = T1 + Sigma_0(d) + Maj(d,dd,cc);
                j++;
 
                T1 = gg + Sigma_1(g) + Ch(g,h,hh) + _K[j] + expandedBuffer[j];
                f = cc + T1;
                b = T1 + Sigma_0(c) + Maj(c,d,dd);
                j++;
 
                T1 = hh + Sigma_1(f) + Ch(f,g,h) + _K[j] + expandedBuffer[j];
                e = dd + T1;
                a = T1 + Sigma_0(b) + Maj(b,c,d);
                j++;
            }
 
            state[0] += a;
            state[1] += b;
            state[2] += c;
            state[3] += d;
            state[4] += e;
            state[5] += f;
            state[6] += g;
            state[7] += h;
        }
 
        private static UInt32 RotateRight(UInt32 x, int n) {
            return (((x) >> (n)) | ((x) << (32-(n))));
        }
 
        private static UInt32 Ch(UInt32 x, UInt32 y, UInt32 z) {
            return ((x & y) ^ ((x ^ 0xffffffff) & z));
        }
 
        private static UInt32 Maj(UInt32 x, UInt32 y, UInt32 z) {
            return ((x & y) ^ (x & z) ^ (y & z));
        }
 
        private static UInt32 sigma_0(UInt32 x) {
            return (RotateRight(x,7) ^ RotateRight(x,18) ^ (x >> 3));
        }
 
        private static UInt32 sigma_1(UInt32 x) {
            return (RotateRight(x,17) ^ RotateRight(x,19) ^ (x >> 10));
        }
 
        private static UInt32 Sigma_0(UInt32 x) {
            return (RotateRight(x,2) ^ RotateRight(x,13) ^ RotateRight(x,22));
        }
 
        private static UInt32 Sigma_1(UInt32 x) {
            return (RotateRight(x,6) ^ RotateRight(x,11) ^ RotateRight(x,25));
        }
 
        /* This function creates W_16,...,W_63 according to the formula
           W_j <- sigma_1(W_{j-2}) + W_{j-7} + sigma_0(W_{j-15}) + W_{j-16};
        */
 
        [System.Security.SecurityCritical]  // auto-generated
        private static unsafe void SHA256Expand (uint* x)
        {
            for (int i = 16; i < 64; i++) {
                x[i] = sigma_1(x[i-2]) + x[i-7] + sigma_0(x[i-15]) + x[i-16];
            }
        }
    }
}