1 /* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
3
4 Copyright (C) 2005, 2006 Free Software Foundation, Inc.
5
6 This program is free software; you can redistribute it and/or modify it
7 under the terms of the GNU General Public License as published by the
8 Free Software Foundation; either version 2, or (at your option) any
9 later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software Foundation,
18 Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */
19
20 /* Written by David Madore, considerably copypasting from
21 Scott G. Miller's sha1.c
22 */
23
24 #include "sha256.h"
25
26 #include <stddef.h>
27 #include <string.h>
28
29 #if USE_UNLOCKED_IO
30 #include "unlocked-io.h"
31 #endif
32
33 #ifdef WORDS_BIGENDIAN
34 #define SWAP(n) (n)
35 #else
36 #define SWAP(n) \
37 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
38 #endif
39
40 #define BLOCKSIZE 4096
41 #if BLOCKSIZE % 64 != 0
42 #error "invalid BLOCKSIZE"
43 #endif
44
45 /* This array contains the bytes used to pad the buffer to the next
46 64-byte boundary. */
47 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
48
49 /*
50 Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
51 intializes it to the start constants of the SHA256 algorithm. This
52 must be called before using hash in the call to sha256_hash
53 */
sha256_init_ctx(struct sha256_ctx * ctx)54 void sha256_init_ctx(struct sha256_ctx *ctx)
55 {
56 ctx->state[0] = 0x6a09e667UL;
57 ctx->state[1] = 0xbb67ae85UL;
58 ctx->state[2] = 0x3c6ef372UL;
59 ctx->state[3] = 0xa54ff53aUL;
60 ctx->state[4] = 0x510e527fUL;
61 ctx->state[5] = 0x9b05688cUL;
62 ctx->state[6] = 0x1f83d9abUL;
63 ctx->state[7] = 0x5be0cd19UL;
64
65 ctx->total[0] = ctx->total[1] = 0;
66 ctx->buflen = 0;
67 }
68
sha224_init_ctx(struct sha256_ctx * ctx)69 void sha224_init_ctx(struct sha256_ctx *ctx)
70 {
71 ctx->state[0] = 0xc1059ed8UL;
72 ctx->state[1] = 0x367cd507UL;
73 ctx->state[2] = 0x3070dd17UL;
74 ctx->state[3] = 0xf70e5939UL;
75 ctx->state[4] = 0xffc00b31UL;
76 ctx->state[5] = 0x68581511UL;
77 ctx->state[6] = 0x64f98fa7UL;
78 ctx->state[7] = 0xbefa4fa4UL;
79
80 ctx->total[0] = ctx->total[1] = 0;
81 ctx->buflen = 0;
82 }
83
84 /* Put result from CTX in first 32 bytes following RESBUF. The result
85 must be in little endian byte order.
86
87 IMPORTANT: On some systems it is required that RESBUF is correctly
88 aligned for a 32-bit value. */
sha256_read_ctx(const struct sha256_ctx * ctx,void * resbuf)89 void *sha256_read_ctx(const struct sha256_ctx *ctx, void *resbuf)
90 {
91 int i;
92
93 for (i = 0; i < 8; i++)
94 ((uint32_t *) resbuf)[i] = SWAP(ctx->state[i]);
95
96 return resbuf;
97 }
98
sha224_read_ctx(const struct sha256_ctx * ctx,void * resbuf)99 void *sha224_read_ctx(const struct sha256_ctx *ctx, void *resbuf)
100 {
101 int i;
102
103 for (i = 0; i < 7; i++)
104 ((uint32_t *) resbuf)[i] = SWAP(ctx->state[i]);
105
106 return resbuf;
107 }
108
109 /* Process the remaining bytes in the internal buffer and the usual
110 prolog according to the standard and write the result to RESBUF.
111
112 IMPORTANT: On some systems it is required that RESBUF is correctly
113 aligned for a 32-bit value. */
sha256_conclude_ctx(struct sha256_ctx * ctx)114 static void sha256_conclude_ctx(struct sha256_ctx *ctx)
115 {
116 /* Take yet unprocessed bytes into account. */
117 uint32_t bytes = ctx->buflen;
118 size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
119
120 /* Now count remaining bytes. */
121 ctx->total[0] += bytes;
122 if (ctx->total[0] < bytes)
123 ++ctx->total[1];
124
125 /* Put the 64-bit file length in *bits* at the end of the buffer. */
126 ctx->buffer[size - 2] =
127 SWAP((ctx->total[1] << 3) | (ctx->total[0] >> 29));
128 ctx->buffer[size - 1] = SWAP(ctx->total[0] << 3);
129
130 memcpy(&((char *)ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
131
132 /* Process last bytes. */
133 sha256_process_block(ctx->buffer, size * 4, ctx);
134 }
135
sha256_finish_ctx(struct sha256_ctx * ctx,void * resbuf)136 void *sha256_finish_ctx(struct sha256_ctx *ctx, void *resbuf)
137 {
138 sha256_conclude_ctx(ctx);
139 return sha256_read_ctx(ctx, resbuf);
140 }
141
sha224_finish_ctx(struct sha256_ctx * ctx,void * resbuf)142 void *sha224_finish_ctx(struct sha256_ctx *ctx, void *resbuf)
143 {
144 sha256_conclude_ctx(ctx);
145 return sha224_read_ctx(ctx, resbuf);
146 }
147
148 /* Compute SHA256 message digest for bytes read from STREAM. The
149 resulting message digest number will be written into the 32 bytes
150 beginning at RESBLOCK. */
sha256_stream(FILE * stream,void * resblock)151 int sha256_stream(FILE * stream, void *resblock)
152 {
153 struct sha256_ctx ctx;
154 char buffer[BLOCKSIZE + 72];
155 size_t sum;
156
157 /* Initialize the computation context. */
158 sha256_init_ctx(&ctx);
159
160 /* Iterate over full file contents. */
161 while (1) {
162 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
163 computation function processes the whole buffer so that with the
164 next round of the loop another block can be read. */
165 size_t n;
166 sum = 0;
167
168 /* Read block. Take care for partial reads. */
169 while (1) {
170 n = fread(buffer + sum, 1, BLOCKSIZE - sum, stream);
171
172 sum += n;
173
174 if (sum == BLOCKSIZE)
175 break;
176
177 if (n == 0) {
178 /* Check for the error flag IFF N == 0, so that we don't
179 exit the loop after a partial read due to e.g., EAGAIN
180 or EWOULDBLOCK. */
181 if (ferror(stream))
182 return 1;
183 goto process_partial_block;
184 }
185
186 /* We've read at least one byte, so ignore errors. But always
187 check for EOF, since feof may be true even though N > 0.
188 Otherwise, we could end up calling fread after EOF. */
189 if (feof(stream))
190 goto process_partial_block;
191 }
192
193 /* Process buffer with BLOCKSIZE bytes. Note that
194 BLOCKSIZE % 64 == 0
195 */
196 sha256_process_block(buffer, BLOCKSIZE, &ctx);
197 }
198
199 process_partial_block:;
200
201 /* Process any remaining bytes. */
202 if (sum > 0)
203 sha256_process_bytes(buffer, sum, &ctx);
204
205 /* Construct result in desired memory. */
206 sha256_finish_ctx(&ctx, resblock);
207 return 0;
208 }
209
210 /* FIXME: Avoid code duplication */
sha224_stream(FILE * stream,void * resblock)211 int sha224_stream(FILE * stream, void *resblock)
212 {
213 struct sha256_ctx ctx;
214 char buffer[BLOCKSIZE + 72];
215 size_t sum;
216
217 /* Initialize the computation context. */
218 sha224_init_ctx(&ctx);
219
220 /* Iterate over full file contents. */
221 while (1) {
222 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
223 computation function processes the whole buffer so that with the
224 next round of the loop another block can be read. */
225 size_t n;
226 sum = 0;
227
228 /* Read block. Take care for partial reads. */
229 while (1) {
230 n = fread(buffer + sum, 1, BLOCKSIZE - sum, stream);
231
232 sum += n;
233
234 if (sum == BLOCKSIZE)
235 break;
236
237 if (n == 0) {
238 /* Check for the error flag IFF N == 0, so that we don't
239 exit the loop after a partial read due to e.g., EAGAIN
240 or EWOULDBLOCK. */
241 if (ferror(stream))
242 return 1;
243 goto process_partial_block;
244 }
245
246 /* We've read at least one byte, so ignore errors. But always
247 check for EOF, since feof may be true even though N > 0.
248 Otherwise, we could end up calling fread after EOF. */
249 if (feof(stream))
250 goto process_partial_block;
251 }
252
253 /* Process buffer with BLOCKSIZE bytes. Note that
254 BLOCKSIZE % 64 == 0
255 */
256 sha256_process_block(buffer, BLOCKSIZE, &ctx);
257 }
258
259 process_partial_block:;
260
261 /* Process any remaining bytes. */
262 if (sum > 0)
263 sha256_process_bytes(buffer, sum, &ctx);
264
265 /* Construct result in desired memory. */
266 sha224_finish_ctx(&ctx, resblock);
267 return 0;
268 }
269
270 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The
271 result is always in little endian byte order, so that a byte-wise
272 output yields to the wanted ASCII representation of the message
273 digest. */
sha256_buffer(const char * buffer,size_t len,void * resblock)274 void *sha256_buffer(const char *buffer, size_t len, void *resblock)
275 {
276 struct sha256_ctx ctx;
277
278 /* Initialize the computation context. */
279 sha256_init_ctx(&ctx);
280
281 /* Process whole buffer but last len % 64 bytes. */
282 sha256_process_bytes(buffer, len, &ctx);
283
284 /* Put result in desired memory area. */
285 return sha256_finish_ctx(&ctx, resblock);
286 }
287
sha224_buffer(const char * buffer,size_t len,void * resblock)288 void *sha224_buffer(const char *buffer, size_t len, void *resblock)
289 {
290 struct sha256_ctx ctx;
291
292 /* Initialize the computation context. */
293 sha224_init_ctx(&ctx);
294
295 /* Process whole buffer but last len % 64 bytes. */
296 sha256_process_bytes(buffer, len, &ctx);
297
298 /* Put result in desired memory area. */
299 return sha224_finish_ctx(&ctx, resblock);
300 }
301
302 void
sha256_process_bytes(const void * buffer,size_t len,struct sha256_ctx * ctx)303 sha256_process_bytes(const void *buffer, size_t len, struct sha256_ctx *ctx)
304 {
305 /* When we already have some bits in our internal buffer concatenate
306 both inputs first. */
307 if (ctx->buflen != 0) {
308 size_t left_over = ctx->buflen;
309 size_t add = 128 - left_over > len ? len : 128 - left_over;
310
311 memcpy(&((char *)ctx->buffer)[left_over], buffer, add);
312 ctx->buflen += add;
313
314 if (ctx->buflen > 64) {
315 sha256_process_block(ctx->buffer, ctx->buflen & ~63,
316 ctx);
317
318 ctx->buflen &= 63;
319 /* The regions in the following copy operation cannot overlap. */
320 memcpy(ctx->buffer,
321 &((char *)ctx->buffer)[(left_over + add) & ~63],
322 ctx->buflen);
323 }
324
325 buffer = (const char *)buffer + add;
326 len -= add;
327 }
328
329 /* Process available complete blocks. */
330 if (len >= 64) {
331 #if !_STRING_ARCH_unaligned
332 #define alignof(type) offsetof (struct { char c; type x; }, x)
333 #define UNALIGNED_P(p) (((size_t) p) % alignof (uint32_t) != 0)
334 if (UNALIGNED_P(buffer))
335 while (len > 64) {
336 sha256_process_block(memcpy
337 (ctx->buffer, buffer, 64),
338 64, ctx);
339 buffer = (const char *)buffer + 64;
340 len -= 64;
341 } else
342 #endif
343 {
344 sha256_process_block(buffer, len & ~63, ctx);
345 buffer = (const char *)buffer + (len & ~63);
346 len &= 63;
347 }
348 }
349
350 /* Move remaining bytes in internal buffer. */
351 if (len > 0) {
352 size_t left_over = ctx->buflen;
353
354 memcpy(&((char *)ctx->buffer)[left_over], buffer, len);
355 left_over += len;
356 if (left_over >= 64) {
357 sha256_process_block(ctx->buffer, 64, ctx);
358 left_over -= 64;
359 memcpy(ctx->buffer, &ctx->buffer[16], left_over);
360 }
361 ctx->buflen = left_over;
362 }
363 }
364
365 /* --- Code below is the primary difference between sha1.c and sha256.c --- */
366
367 /* SHA256 round constants */
368 #define K(I) sha256_round_constants[I]
369 static const uint32_t sha256_round_constants[64] = {
370 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
371 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
372 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
373 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
374 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
375 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
376 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
377 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
378 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
379 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
380 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
381 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
382 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
383 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
384 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
385 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
386 };
387
388 /* Round functions. */
389 #define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) )
390 #define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) )
391
392 /* Process LEN bytes of BUFFER, accumulating context into CTX.
393 It is assumed that LEN % 64 == 0.
394 Most of this code comes from GnuPG's cipher/sha1.c. */
395
396 void
sha256_process_block(const void * buffer,size_t len,struct sha256_ctx * ctx)397 sha256_process_block(const void *buffer, size_t len, struct sha256_ctx *ctx)
398 {
399 const uint32_t *words = buffer;
400 size_t nwords = len / sizeof(uint32_t);
401 const uint32_t *endp = words + nwords;
402 uint32_t x[16];
403 uint32_t a = ctx->state[0];
404 uint32_t b = ctx->state[1];
405 uint32_t c = ctx->state[2];
406 uint32_t d = ctx->state[3];
407 uint32_t e = ctx->state[4];
408 uint32_t f = ctx->state[5];
409 uint32_t g = ctx->state[6];
410 uint32_t h = ctx->state[7];
411
412 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
413 length of the file up to 2^64 bits. Here we only compute the
414 number of bytes. Do a double word increment. */
415 ctx->total[0] += len;
416 if (ctx->total[0] < len)
417 ++ctx->total[1];
418
419 #define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
420 #define S0(x) (rol(x,25)^rol(x,14)^(x>>3))
421 #define S1(x) (rol(x,15)^rol(x,13)^(x>>10))
422 #define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10))
423 #define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7))
424
425 #define M(I) ( tm = S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \
426 + S0(x[(I-15)&0x0f]) + x[I&0x0f] \
427 , x[I&0x0f] = tm )
428
429 #define R(A,B,C,D,E,F,G,H,K,M) do { t0 = SS0(A) + F2(A,B,C); \
430 t1 = H + SS1(E) \
431 + F1(E,F,G) \
432 + K \
433 + M; \
434 D += t1; H = t0 + t1; \
435 } while(0)
436
437 while (words < endp) {
438 uint32_t tm;
439 uint32_t t0, t1;
440 int t;
441 /* FIXME: see sha1.c for a better implementation. */
442 for (t = 0; t < 16; t++) {
443 x[t] = SWAP(*words);
444 words++;
445 }
446
447 R(a, b, c, d, e, f, g, h, K(0), x[0]);
448 R(h, a, b, c, d, e, f, g, K(1), x[1]);
449 R(g, h, a, b, c, d, e, f, K(2), x[2]);
450 R(f, g, h, a, b, c, d, e, K(3), x[3]);
451 R(e, f, g, h, a, b, c, d, K(4), x[4]);
452 R(d, e, f, g, h, a, b, c, K(5), x[5]);
453 R(c, d, e, f, g, h, a, b, K(6), x[6]);
454 R(b, c, d, e, f, g, h, a, K(7), x[7]);
455 R(a, b, c, d, e, f, g, h, K(8), x[8]);
456 R(h, a, b, c, d, e, f, g, K(9), x[9]);
457 R(g, h, a, b, c, d, e, f, K(10), x[10]);
458 R(f, g, h, a, b, c, d, e, K(11), x[11]);
459 R(e, f, g, h, a, b, c, d, K(12), x[12]);
460 R(d, e, f, g, h, a, b, c, K(13), x[13]);
461 R(c, d, e, f, g, h, a, b, K(14), x[14]);
462 R(b, c, d, e, f, g, h, a, K(15), x[15]);
463 R(a, b, c, d, e, f, g, h, K(16), M(16));
464 R(h, a, b, c, d, e, f, g, K(17), M(17));
465 R(g, h, a, b, c, d, e, f, K(18), M(18));
466 R(f, g, h, a, b, c, d, e, K(19), M(19));
467 R(e, f, g, h, a, b, c, d, K(20), M(20));
468 R(d, e, f, g, h, a, b, c, K(21), M(21));
469 R(c, d, e, f, g, h, a, b, K(22), M(22));
470 R(b, c, d, e, f, g, h, a, K(23), M(23));
471 R(a, b, c, d, e, f, g, h, K(24), M(24));
472 R(h, a, b, c, d, e, f, g, K(25), M(25));
473 R(g, h, a, b, c, d, e, f, K(26), M(26));
474 R(f, g, h, a, b, c, d, e, K(27), M(27));
475 R(e, f, g, h, a, b, c, d, K(28), M(28));
476 R(d, e, f, g, h, a, b, c, K(29), M(29));
477 R(c, d, e, f, g, h, a, b, K(30), M(30));
478 R(b, c, d, e, f, g, h, a, K(31), M(31));
479 R(a, b, c, d, e, f, g, h, K(32), M(32));
480 R(h, a, b, c, d, e, f, g, K(33), M(33));
481 R(g, h, a, b, c, d, e, f, K(34), M(34));
482 R(f, g, h, a, b, c, d, e, K(35), M(35));
483 R(e, f, g, h, a, b, c, d, K(36), M(36));
484 R(d, e, f, g, h, a, b, c, K(37), M(37));
485 R(c, d, e, f, g, h, a, b, K(38), M(38));
486 R(b, c, d, e, f, g, h, a, K(39), M(39));
487 R(a, b, c, d, e, f, g, h, K(40), M(40));
488 R(h, a, b, c, d, e, f, g, K(41), M(41));
489 R(g, h, a, b, c, d, e, f, K(42), M(42));
490 R(f, g, h, a, b, c, d, e, K(43), M(43));
491 R(e, f, g, h, a, b, c, d, K(44), M(44));
492 R(d, e, f, g, h, a, b, c, K(45), M(45));
493 R(c, d, e, f, g, h, a, b, K(46), M(46));
494 R(b, c, d, e, f, g, h, a, K(47), M(47));
495 R(a, b, c, d, e, f, g, h, K(48), M(48));
496 R(h, a, b, c, d, e, f, g, K(49), M(49));
497 R(g, h, a, b, c, d, e, f, K(50), M(50));
498 R(f, g, h, a, b, c, d, e, K(51), M(51));
499 R(e, f, g, h, a, b, c, d, K(52), M(52));
500 R(d, e, f, g, h, a, b, c, K(53), M(53));
501 R(c, d, e, f, g, h, a, b, K(54), M(54));
502 R(b, c, d, e, f, g, h, a, K(55), M(55));
503 R(a, b, c, d, e, f, g, h, K(56), M(56));
504 R(h, a, b, c, d, e, f, g, K(57), M(57));
505 R(g, h, a, b, c, d, e, f, K(58), M(58));
506 R(f, g, h, a, b, c, d, e, K(59), M(59));
507 R(e, f, g, h, a, b, c, d, K(60), M(60));
508 R(d, e, f, g, h, a, b, c, K(61), M(61));
509 R(c, d, e, f, g, h, a, b, K(62), M(62));
510 R(b, c, d, e, f, g, h, a, K(63), M(63));
511
512 a = ctx->state[0] += a;
513 b = ctx->state[1] += b;
514 c = ctx->state[2] += c;
515 d = ctx->state[3] += d;
516 e = ctx->state[4] += e;
517 f = ctx->state[5] += f;
518 g = ctx->state[6] += g;
519 h = ctx->state[7] += h;
520 }
521 }
522