1 /* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
3
4 Copyright (C) 2005-2006, 2008-2021 Free Software Foundation, Inc.
5
6 This file is free software: you can redistribute it and/or modify
7 it under the terms of the GNU Lesser General Public License as
8 published by the Free Software Foundation; either version 2.1 of the
9 License, or (at your option) any later version.
10
11 This file is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with this program. If not, see <https://www.gnu.org/licenses/>. */
18
19 /* Written by David Madore, considerably copypasting from
20 Scott G. Miller's sha1.c
21 */
22
23 #include <config.h>
24
25 #if HAVE_OPENSSL_SHA256
26 # define GL_OPENSSL_INLINE _GL_EXTERN_INLINE
27 #endif
28 #include "sha256.h"
29
30 #include <stdalign.h>
31 #include <stdint.h>
32 #include <stdlib.h>
33 #include <string.h>
34
35 #if USE_UNLOCKED_IO
36 # include "unlocked-io.h"
37 #endif
38
39 #include <byteswap.h>
40 #ifdef WORDS_BIGENDIAN
41 # define SWAP(n) (n)
42 #else
43 # define SWAP(n) bswap_32 (n)
44 #endif
45
46 #define BLOCKSIZE 32768
47 #if BLOCKSIZE % 64 != 0
48 # error "invalid BLOCKSIZE"
49 #endif
50
51 #if ! HAVE_OPENSSL_SHA256
52 /* This array contains the bytes used to pad the buffer to the next
53 64-byte boundary. */
54 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
55
56
57 /*
58 Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
59 initializes it to the start constants of the SHA256 algorithm. This
60 must be called before using hash in the call to sha256_hash
61 */
62 void
sha256_init_ctx(struct sha256_ctx * ctx)63 sha256_init_ctx (struct sha256_ctx *ctx)
64 {
65 ctx->state[0] = 0x6a09e667UL;
66 ctx->state[1] = 0xbb67ae85UL;
67 ctx->state[2] = 0x3c6ef372UL;
68 ctx->state[3] = 0xa54ff53aUL;
69 ctx->state[4] = 0x510e527fUL;
70 ctx->state[5] = 0x9b05688cUL;
71 ctx->state[6] = 0x1f83d9abUL;
72 ctx->state[7] = 0x5be0cd19UL;
73
74 ctx->total[0] = ctx->total[1] = 0;
75 ctx->buflen = 0;
76 }
77
78 void
sha224_init_ctx(struct sha256_ctx * ctx)79 sha224_init_ctx (struct sha256_ctx *ctx)
80 {
81 ctx->state[0] = 0xc1059ed8UL;
82 ctx->state[1] = 0x367cd507UL;
83 ctx->state[2] = 0x3070dd17UL;
84 ctx->state[3] = 0xf70e5939UL;
85 ctx->state[4] = 0xffc00b31UL;
86 ctx->state[5] = 0x68581511UL;
87 ctx->state[6] = 0x64f98fa7UL;
88 ctx->state[7] = 0xbefa4fa4UL;
89
90 ctx->total[0] = ctx->total[1] = 0;
91 ctx->buflen = 0;
92 }
93
94 /* Copy the value from v into the memory location pointed to by *CP,
95 If your architecture allows unaligned access, this is equivalent to
96 * (__typeof__ (v) *) cp = v */
97 static void
set_uint32(char * cp,uint32_t v)98 set_uint32 (char *cp, uint32_t v)
99 {
100 memcpy (cp, &v, sizeof v);
101 }
102
103 /* Put result from CTX in first 32 bytes following RESBUF.
104 The result must be in little endian byte order. */
105 void *
sha256_read_ctx(const struct sha256_ctx * ctx,void * resbuf)106 sha256_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
107 {
108 int i;
109 char *r = resbuf;
110
111 for (i = 0; i < 8; i++)
112 set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
113
114 return resbuf;
115 }
116
117 void *
sha224_read_ctx(const struct sha256_ctx * ctx,void * resbuf)118 sha224_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
119 {
120 int i;
121 char *r = resbuf;
122
123 for (i = 0; i < 7; i++)
124 set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
125
126 return resbuf;
127 }
128
129 /* Process the remaining bytes in the internal buffer and the usual
130 prolog according to the standard and write the result to RESBUF. */
131 static void
sha256_conclude_ctx(struct sha256_ctx * ctx)132 sha256_conclude_ctx (struct sha256_ctx *ctx)
133 {
134 /* Take yet unprocessed bytes into account. */
135 size_t bytes = ctx->buflen;
136 size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
137
138 /* Now count remaining bytes. */
139 ctx->total[0] += bytes;
140 if (ctx->total[0] < bytes)
141 ++ctx->total[1];
142
143 /* Put the 64-bit file length in *bits* at the end of the buffer.
144 Use set_uint32 rather than a simple assignment, to avoid risk of
145 unaligned access. */
146 set_uint32 ((char *) &ctx->buffer[size - 2],
147 SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29)));
148 set_uint32 ((char *) &ctx->buffer[size - 1],
149 SWAP (ctx->total[0] << 3));
150
151 memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
152
153 /* Process last bytes. */
154 sha256_process_block (ctx->buffer, size * 4, ctx);
155 }
156
157 void *
sha256_finish_ctx(struct sha256_ctx * ctx,void * resbuf)158 sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
159 {
160 sha256_conclude_ctx (ctx);
161 return sha256_read_ctx (ctx, resbuf);
162 }
163
164 void *
sha224_finish_ctx(struct sha256_ctx * ctx,void * resbuf)165 sha224_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
166 {
167 sha256_conclude_ctx (ctx);
168 return sha224_read_ctx (ctx, resbuf);
169 }
170 #endif
171
172 #ifdef GL_COMPILE_CRYPTO_STREAM
173
174 #include "af_alg.h"
175
176 /* Compute message digest for bytes read from STREAM using algorithm ALG.
177 Write the message digest into RESBLOCK, which contains HASHLEN bytes.
178 The initial and finishing operations are INIT_CTX and FINISH_CTX.
179 Return zero if and only if successful. */
180 static int
shaxxx_stream(FILE * stream,char const * alg,void * resblock,ssize_t hashlen,void (* init_ctx)(struct sha256_ctx *),void * (* finish_ctx)(struct sha256_ctx *,void *))181 shaxxx_stream (FILE *stream, char const *alg, void *resblock,
182 ssize_t hashlen, void (*init_ctx) (struct sha256_ctx *),
183 void *(*finish_ctx) (struct sha256_ctx *, void *))
184 {
185 switch (afalg_stream (stream, alg, resblock, hashlen))
186 {
187 case 0: return 0;
188 case -EIO: return 1;
189 }
190
191 char *buffer = malloc (BLOCKSIZE + 72);
192 if (!buffer)
193 return 1;
194
195 struct sha256_ctx ctx;
196 init_ctx (&ctx);
197 size_t sum;
198
199 /* Iterate over full file contents. */
200 while (1)
201 {
202 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
203 computation function processes the whole buffer so that with the
204 next round of the loop another block can be read. */
205 size_t n;
206 sum = 0;
207
208 /* Read block. Take care for partial reads. */
209 while (1)
210 {
211 /* Either process a partial fread() from this loop,
212 or the fread() in afalg_stream may have gotten EOF.
213 We need to avoid a subsequent fread() as EOF may
214 not be sticky. For details of such systems, see:
215 https://sourceware.org/bugzilla/show_bug.cgi?id=1190 */
216 if (feof (stream))
217 goto process_partial_block;
218
219 n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
220
221 sum += n;
222
223 if (sum == BLOCKSIZE)
224 break;
225
226 if (n == 0)
227 {
228 /* Check for the error flag IFF N == 0, so that we don't
229 exit the loop after a partial read due to e.g., EAGAIN
230 or EWOULDBLOCK. */
231 if (ferror (stream))
232 {
233 free (buffer);
234 return 1;
235 }
236 goto process_partial_block;
237 }
238 }
239
240 /* Process buffer with BLOCKSIZE bytes. Note that
241 BLOCKSIZE % 64 == 0
242 */
243 sha256_process_block (buffer, BLOCKSIZE, &ctx);
244 }
245
246 process_partial_block:;
247
248 /* Process any remaining bytes. */
249 if (sum > 0)
250 sha256_process_bytes (buffer, sum, &ctx);
251
252 /* Construct result in desired memory. */
253 finish_ctx (&ctx, resblock);
254 free (buffer);
255 return 0;
256 }
257
258 int
sha256_stream(FILE * stream,void * resblock)259 sha256_stream (FILE *stream, void *resblock)
260 {
261 return shaxxx_stream (stream, "sha256", resblock, SHA256_DIGEST_SIZE,
262 sha256_init_ctx, sha256_finish_ctx);
263 }
264
265 int
sha224_stream(FILE * stream,void * resblock)266 sha224_stream (FILE *stream, void *resblock)
267 {
268 return shaxxx_stream (stream, "sha224", resblock, SHA224_DIGEST_SIZE,
269 sha224_init_ctx, sha224_finish_ctx);
270 }
271 #endif
272
273 #if ! HAVE_OPENSSL_SHA256
274 /* Compute SHA256 message digest for LEN bytes beginning at BUFFER. The
275 result is always in little endian byte order, so that a byte-wise
276 output yields to the wanted ASCII representation of the message
277 digest. */
278 void *
sha256_buffer(const char * buffer,size_t len,void * resblock)279 sha256_buffer (const char *buffer, size_t len, void *resblock)
280 {
281 struct sha256_ctx ctx;
282
283 /* Initialize the computation context. */
284 sha256_init_ctx (&ctx);
285
286 /* Process whole buffer but last len % 64 bytes. */
287 sha256_process_bytes (buffer, len, &ctx);
288
289 /* Put result in desired memory area. */
290 return sha256_finish_ctx (&ctx, resblock);
291 }
292
293 void *
sha224_buffer(const char * buffer,size_t len,void * resblock)294 sha224_buffer (const char *buffer, size_t len, void *resblock)
295 {
296 struct sha256_ctx ctx;
297
298 /* Initialize the computation context. */
299 sha224_init_ctx (&ctx);
300
301 /* Process whole buffer but last len % 64 bytes. */
302 sha256_process_bytes (buffer, len, &ctx);
303
304 /* Put result in desired memory area. */
305 return sha224_finish_ctx (&ctx, resblock);
306 }
307
308 void
sha256_process_bytes(const void * buffer,size_t len,struct sha256_ctx * ctx)309 sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
310 {
311 /* When we already have some bits in our internal buffer concatenate
312 both inputs first. */
313 if (ctx->buflen != 0)
314 {
315 size_t left_over = ctx->buflen;
316 size_t add = 128 - left_over > len ? len : 128 - left_over;
317
318 memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
319 ctx->buflen += add;
320
321 if (ctx->buflen > 64)
322 {
323 sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
324
325 ctx->buflen &= 63;
326 /* The regions in the following copy operation cannot overlap,
327 because ctx->buflen < 64 ≤ (left_over + add) & ~63. */
328 memcpy (ctx->buffer,
329 &((char *) ctx->buffer)[(left_over + add) & ~63],
330 ctx->buflen);
331 }
332
333 buffer = (const char *) buffer + add;
334 len -= add;
335 }
336
337 /* Process available complete blocks. */
338 if (len >= 64)
339 {
340 #if !(_STRING_ARCH_unaligned || _STRING_INLINE_unaligned)
341 # define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (uint32_t) != 0)
342 if (UNALIGNED_P (buffer))
343 while (len > 64)
344 {
345 sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
346 buffer = (const char *) buffer + 64;
347 len -= 64;
348 }
349 else
350 #endif
351 {
352 sha256_process_block (buffer, len & ~63, ctx);
353 buffer = (const char *) buffer + (len & ~63);
354 len &= 63;
355 }
356 }
357
358 /* Move remaining bytes in internal buffer. */
359 if (len > 0)
360 {
361 size_t left_over = ctx->buflen;
362
363 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
364 left_over += len;
365 if (left_over >= 64)
366 {
367 sha256_process_block (ctx->buffer, 64, ctx);
368 left_over -= 64;
369 /* The regions in the following copy operation cannot overlap,
370 because left_over ≤ 64. */
371 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
372 }
373 ctx->buflen = left_over;
374 }
375 }
376
377 /* --- Code below is the primary difference between sha1.c and sha256.c --- */
378
379 /* SHA256 round constants */
380 #define K(I) sha256_round_constants[I]
381 static const uint32_t sha256_round_constants[64] = {
382 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
383 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
384 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
385 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
386 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
387 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
388 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
389 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
390 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
391 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
392 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
393 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
394 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
395 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
396 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
397 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
398 };
399
400 /* Round functions. */
401 #define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) )
402 #define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) )
403
404 /* Process LEN bytes of BUFFER, accumulating context into CTX.
405 It is assumed that LEN % 64 == 0.
406 Most of this code comes from GnuPG's cipher/sha1.c. */
407
408 void
sha256_process_block(const void * buffer,size_t len,struct sha256_ctx * ctx)409 sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
410 {
411 const uint32_t *words = buffer;
412 size_t nwords = len / sizeof (uint32_t);
413 const uint32_t *endp = words + nwords;
414 uint32_t x[16];
415 uint32_t a = ctx->state[0];
416 uint32_t b = ctx->state[1];
417 uint32_t c = ctx->state[2];
418 uint32_t d = ctx->state[3];
419 uint32_t e = ctx->state[4];
420 uint32_t f = ctx->state[5];
421 uint32_t g = ctx->state[6];
422 uint32_t h = ctx->state[7];
423 uint32_t lolen = len;
424
425 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
426 length of the file up to 2^64 bits. Here we only compute the
427 number of bytes. Do a double word increment. */
428 ctx->total[0] += lolen;
429 ctx->total[1] += (len >> 31 >> 1) + (ctx->total[0] < lolen);
430
431 #define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
432 #define S0(x) (rol(x,25)^rol(x,14)^(x>>3))
433 #define S1(x) (rol(x,15)^rol(x,13)^(x>>10))
434 #define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10))
435 #define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7))
436
437 #define M(I) ( tm = S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \
438 + S0(x[(I-15)&0x0f]) + x[I&0x0f] \
439 , x[I&0x0f] = tm )
440
441 #define R(A,B,C,D,E,F,G,H,K,M) do { t0 = SS0(A) + F2(A,B,C); \
442 t1 = H + SS1(E) \
443 + F1(E,F,G) \
444 + K \
445 + M; \
446 D += t1; H = t0 + t1; \
447 } while(0)
448
449 while (words < endp)
450 {
451 uint32_t tm;
452 uint32_t t0, t1;
453 int t;
454 /* FIXME: see sha1.c for a better implementation. */
455 for (t = 0; t < 16; t++)
456 {
457 x[t] = SWAP (*words);
458 words++;
459 }
460
461 R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
462 R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
463 R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
464 R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
465 R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
466 R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
467 R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
468 R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
469 R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
470 R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
471 R( g, h, a, b, c, d, e, f, K(10), x[10] );
472 R( f, g, h, a, b, c, d, e, K(11), x[11] );
473 R( e, f, g, h, a, b, c, d, K(12), x[12] );
474 R( d, e, f, g, h, a, b, c, K(13), x[13] );
475 R( c, d, e, f, g, h, a, b, K(14), x[14] );
476 R( b, c, d, e, f, g, h, a, K(15), x[15] );
477 R( a, b, c, d, e, f, g, h, K(16), M(16) );
478 R( h, a, b, c, d, e, f, g, K(17), M(17) );
479 R( g, h, a, b, c, d, e, f, K(18), M(18) );
480 R( f, g, h, a, b, c, d, e, K(19), M(19) );
481 R( e, f, g, h, a, b, c, d, K(20), M(20) );
482 R( d, e, f, g, h, a, b, c, K(21), M(21) );
483 R( c, d, e, f, g, h, a, b, K(22), M(22) );
484 R( b, c, d, e, f, g, h, a, K(23), M(23) );
485 R( a, b, c, d, e, f, g, h, K(24), M(24) );
486 R( h, a, b, c, d, e, f, g, K(25), M(25) );
487 R( g, h, a, b, c, d, e, f, K(26), M(26) );
488 R( f, g, h, a, b, c, d, e, K(27), M(27) );
489 R( e, f, g, h, a, b, c, d, K(28), M(28) );
490 R( d, e, f, g, h, a, b, c, K(29), M(29) );
491 R( c, d, e, f, g, h, a, b, K(30), M(30) );
492 R( b, c, d, e, f, g, h, a, K(31), M(31) );
493 R( a, b, c, d, e, f, g, h, K(32), M(32) );
494 R( h, a, b, c, d, e, f, g, K(33), M(33) );
495 R( g, h, a, b, c, d, e, f, K(34), M(34) );
496 R( f, g, h, a, b, c, d, e, K(35), M(35) );
497 R( e, f, g, h, a, b, c, d, K(36), M(36) );
498 R( d, e, f, g, h, a, b, c, K(37), M(37) );
499 R( c, d, e, f, g, h, a, b, K(38), M(38) );
500 R( b, c, d, e, f, g, h, a, K(39), M(39) );
501 R( a, b, c, d, e, f, g, h, K(40), M(40) );
502 R( h, a, b, c, d, e, f, g, K(41), M(41) );
503 R( g, h, a, b, c, d, e, f, K(42), M(42) );
504 R( f, g, h, a, b, c, d, e, K(43), M(43) );
505 R( e, f, g, h, a, b, c, d, K(44), M(44) );
506 R( d, e, f, g, h, a, b, c, K(45), M(45) );
507 R( c, d, e, f, g, h, a, b, K(46), M(46) );
508 R( b, c, d, e, f, g, h, a, K(47), M(47) );
509 R( a, b, c, d, e, f, g, h, K(48), M(48) );
510 R( h, a, b, c, d, e, f, g, K(49), M(49) );
511 R( g, h, a, b, c, d, e, f, K(50), M(50) );
512 R( f, g, h, a, b, c, d, e, K(51), M(51) );
513 R( e, f, g, h, a, b, c, d, K(52), M(52) );
514 R( d, e, f, g, h, a, b, c, K(53), M(53) );
515 R( c, d, e, f, g, h, a, b, K(54), M(54) );
516 R( b, c, d, e, f, g, h, a, K(55), M(55) );
517 R( a, b, c, d, e, f, g, h, K(56), M(56) );
518 R( h, a, b, c, d, e, f, g, K(57), M(57) );
519 R( g, h, a, b, c, d, e, f, K(58), M(58) );
520 R( f, g, h, a, b, c, d, e, K(59), M(59) );
521 R( e, f, g, h, a, b, c, d, K(60), M(60) );
522 R( d, e, f, g, h, a, b, c, K(61), M(61) );
523 R( c, d, e, f, g, h, a, b, K(62), M(62) );
524 R( b, c, d, e, f, g, h, a, K(63), M(63) );
525
526 a = ctx->state[0] += a;
527 b = ctx->state[1] += b;
528 c = ctx->state[2] += c;
529 d = ctx->state[3] += d;
530 e = ctx->state[4] += e;
531 f = ctx->state[5] += f;
532 g = ctx->state[6] += g;
533 h = ctx->state[7] += h;
534 }
535 }
536 #endif
537
538 /*
539 * Hey Emacs!
540 * Local Variables:
541 * coding: utf-8
542 * End:
543 */
544