1 /* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
4 Copyright (C) 2005, 2006 Free Software Foundation, Inc.
6 This program is free software; you can redistribute it and/or modify it
7 under the terms of the GNU General Public License as published by the
8 Free Software Foundation; either version 2, or (at your option) any
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software Foundation,
18 Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */
20 /* Written by David Madore, considerably copypasting from
21 Scott G. Miller's sha1.c
30 #include "unlocked-io.h"
33 #ifdef WORDS_BIGENDIAN
37 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
40 #define BLOCKSIZE 4096
41 #if BLOCKSIZE % 64 != 0
42 #error "invalid BLOCKSIZE"
45 /* This array contains the bytes used to pad the buffer to the next
47 static const unsigned char fillbuf
[64] = { 0x80, 0 /* , 0, 0, ... */ };
50 Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
51 intializes it to the start constants of the SHA256 algorithm. This
52 must be called before using hash in the call to sha256_hash
54 void sha256_init_ctx(struct sha256_ctx
*ctx
)
56 ctx
->state
[0] = 0x6a09e667UL
;
57 ctx
->state
[1] = 0xbb67ae85UL
;
58 ctx
->state
[2] = 0x3c6ef372UL
;
59 ctx
->state
[3] = 0xa54ff53aUL
;
60 ctx
->state
[4] = 0x510e527fUL
;
61 ctx
->state
[5] = 0x9b05688cUL
;
62 ctx
->state
[6] = 0x1f83d9abUL
;
63 ctx
->state
[7] = 0x5be0cd19UL
;
65 ctx
->total
[0] = ctx
->total
[1] = 0;
69 void sha224_init_ctx(struct sha256_ctx
*ctx
)
71 ctx
->state
[0] = 0xc1059ed8UL
;
72 ctx
->state
[1] = 0x367cd507UL
;
73 ctx
->state
[2] = 0x3070dd17UL
;
74 ctx
->state
[3] = 0xf70e5939UL
;
75 ctx
->state
[4] = 0xffc00b31UL
;
76 ctx
->state
[5] = 0x68581511UL
;
77 ctx
->state
[6] = 0x64f98fa7UL
;
78 ctx
->state
[7] = 0xbefa4fa4UL
;
80 ctx
->total
[0] = ctx
->total
[1] = 0;
84 /* Put result from CTX in first 32 bytes following RESBUF. The result
85 must be in little endian byte order.
87 IMPORTANT: On some systems it is required that RESBUF is correctly
88 aligned for a 32-bit value. */
89 void *sha256_read_ctx(const struct sha256_ctx
*ctx
, void *resbuf
)
93 for (i
= 0; i
< 8; i
++)
94 ((uint32_t *) resbuf
)[i
] = SWAP(ctx
->state
[i
]);
99 void *sha224_read_ctx(const struct sha256_ctx
*ctx
, void *resbuf
)
103 for (i
= 0; i
< 7; i
++)
104 ((uint32_t *) resbuf
)[i
] = SWAP(ctx
->state
[i
]);
109 /* Process the remaining bytes in the internal buffer and the usual
110 prolog according to the standard and write the result to RESBUF.
112 IMPORTANT: On some systems it is required that RESBUF is correctly
113 aligned for a 32-bit value. */
114 static void sha256_conclude_ctx(struct sha256_ctx
*ctx
)
116 /* Take yet unprocessed bytes into account. */
117 uint32_t bytes
= ctx
->buflen
;
118 size_t size
= (bytes
< 56) ? 64 / 4 : 64 * 2 / 4;
120 /* Now count remaining bytes. */
121 ctx
->total
[0] += bytes
;
122 if (ctx
->total
[0] < bytes
)
125 /* Put the 64-bit file length in *bits* at the end of the buffer. */
126 ctx
->buffer
[size
- 2] =
127 SWAP((ctx
->total
[1] << 3) | (ctx
->total
[0] >> 29));
128 ctx
->buffer
[size
- 1] = SWAP(ctx
->total
[0] << 3);
130 memcpy(&((char *)ctx
->buffer
)[bytes
], fillbuf
, (size
- 2) * 4 - bytes
);
132 /* Process last bytes. */
133 sha256_process_block(ctx
->buffer
, size
* 4, ctx
);
136 void *sha256_finish_ctx(struct sha256_ctx
*ctx
, void *resbuf
)
138 sha256_conclude_ctx(ctx
);
139 return sha256_read_ctx(ctx
, resbuf
);
142 void *sha224_finish_ctx(struct sha256_ctx
*ctx
, void *resbuf
)
144 sha256_conclude_ctx(ctx
);
145 return sha224_read_ctx(ctx
, resbuf
);
148 /* Compute SHA256 message digest for bytes read from STREAM. The
149 resulting message digest number will be written into the 32 bytes
150 beginning at RESBLOCK. */
151 int sha256_stream(FILE * stream
, void *resblock
)
153 struct sha256_ctx ctx
;
154 char buffer
[BLOCKSIZE
+ 72];
157 /* Initialize the computation context. */
158 sha256_init_ctx(&ctx
);
160 /* Iterate over full file contents. */
162 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
163 computation function processes the whole buffer so that with the
164 next round of the loop another block can be read. */
168 /* Read block. Take care for partial reads. */
170 n
= fread(buffer
+ sum
, 1, BLOCKSIZE
- sum
, stream
);
174 if (sum
== BLOCKSIZE
)
178 /* Check for the error flag IFF N == 0, so that we don't
179 exit the loop after a partial read due to e.g., EAGAIN
183 goto process_partial_block
;
186 /* We've read at least one byte, so ignore errors. But always
187 check for EOF, since feof may be true even though N > 0.
188 Otherwise, we could end up calling fread after EOF. */
190 goto process_partial_block
;
193 /* Process buffer with BLOCKSIZE bytes. Note that
196 sha256_process_block(buffer
, BLOCKSIZE
, &ctx
);
199 process_partial_block
:;
201 /* Process any remaining bytes. */
203 sha256_process_bytes(buffer
, sum
, &ctx
);
205 /* Construct result in desired memory. */
206 sha256_finish_ctx(&ctx
, resblock
);
210 /* FIXME: Avoid code duplication */
211 int sha224_stream(FILE * stream
, void *resblock
)
213 struct sha256_ctx ctx
;
214 char buffer
[BLOCKSIZE
+ 72];
217 /* Initialize the computation context. */
218 sha224_init_ctx(&ctx
);
220 /* Iterate over full file contents. */
222 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
223 computation function processes the whole buffer so that with the
224 next round of the loop another block can be read. */
228 /* Read block. Take care for partial reads. */
230 n
= fread(buffer
+ sum
, 1, BLOCKSIZE
- sum
, stream
);
234 if (sum
== BLOCKSIZE
)
238 /* Check for the error flag IFF N == 0, so that we don't
239 exit the loop after a partial read due to e.g., EAGAIN
243 goto process_partial_block
;
246 /* We've read at least one byte, so ignore errors. But always
247 check for EOF, since feof may be true even though N > 0.
248 Otherwise, we could end up calling fread after EOF. */
250 goto process_partial_block
;
253 /* Process buffer with BLOCKSIZE bytes. Note that
256 sha256_process_block(buffer
, BLOCKSIZE
, &ctx
);
259 process_partial_block
:;
261 /* Process any remaining bytes. */
263 sha256_process_bytes(buffer
, sum
, &ctx
);
265 /* Construct result in desired memory. */
266 sha224_finish_ctx(&ctx
, resblock
);
270 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The
271 result is always in little endian byte order, so that a byte-wise
272 output yields to the wanted ASCII representation of the message
274 void *sha256_buffer(const char *buffer
, size_t len
, void *resblock
)
276 struct sha256_ctx ctx
;
278 /* Initialize the computation context. */
279 sha256_init_ctx(&ctx
);
281 /* Process whole buffer but last len % 64 bytes. */
282 sha256_process_bytes(buffer
, len
, &ctx
);
284 /* Put result in desired memory area. */
285 return sha256_finish_ctx(&ctx
, resblock
);
288 void *sha224_buffer(const char *buffer
, size_t len
, void *resblock
)
290 struct sha256_ctx ctx
;
292 /* Initialize the computation context. */
293 sha224_init_ctx(&ctx
);
295 /* Process whole buffer but last len % 64 bytes. */
296 sha256_process_bytes(buffer
, len
, &ctx
);
298 /* Put result in desired memory area. */
299 return sha224_finish_ctx(&ctx
, resblock
);
303 sha256_process_bytes(const void *buffer
, size_t len
, struct sha256_ctx
*ctx
)
305 /* When we already have some bits in our internal buffer concatenate
306 both inputs first. */
307 if (ctx
->buflen
!= 0) {
308 size_t left_over
= ctx
->buflen
;
309 size_t add
= 128 - left_over
> len
? len
: 128 - left_over
;
311 memcpy(&((char *)ctx
->buffer
)[left_over
], buffer
, add
);
314 if (ctx
->buflen
> 64) {
315 sha256_process_block(ctx
->buffer
, ctx
->buflen
& ~63,
319 /* The regions in the following copy operation cannot overlap. */
321 &((char *)ctx
->buffer
)[(left_over
+ add
) & ~63],
325 buffer
= (const char *)buffer
+ add
;
329 /* Process available complete blocks. */
331 #if !_STRING_ARCH_unaligned
332 #define alignof(type) offsetof (struct { char c; type x; }, x)
333 #define UNALIGNED_P(p) (((size_t) p) % alignof (uint32_t) != 0)
334 if (UNALIGNED_P(buffer
))
336 sha256_process_block(memcpy
337 (ctx
->buffer
, buffer
, 64),
339 buffer
= (const char *)buffer
+ 64;
344 sha256_process_block(buffer
, len
& ~63, ctx
);
345 buffer
= (const char *)buffer
+ (len
& ~63);
350 /* Move remaining bytes in internal buffer. */
352 size_t left_over
= ctx
->buflen
;
354 memcpy(&((char *)ctx
->buffer
)[left_over
], buffer
, len
);
356 if (left_over
>= 64) {
357 sha256_process_block(ctx
->buffer
, 64, ctx
);
359 memcpy(ctx
->buffer
, &ctx
->buffer
[16], left_over
);
361 ctx
->buflen
= left_over
;
365 /* --- Code below is the primary difference between sha1.c and sha256.c --- */
367 /* SHA256 round constants */
368 #define K(I) sha256_round_constants[I]
369 static const uint32_t sha256_round_constants
[64] = {
370 0x428a2f98UL
, 0x71374491UL
, 0xb5c0fbcfUL
, 0xe9b5dba5UL
,
371 0x3956c25bUL
, 0x59f111f1UL
, 0x923f82a4UL
, 0xab1c5ed5UL
,
372 0xd807aa98UL
, 0x12835b01UL
, 0x243185beUL
, 0x550c7dc3UL
,
373 0x72be5d74UL
, 0x80deb1feUL
, 0x9bdc06a7UL
, 0xc19bf174UL
,
374 0xe49b69c1UL
, 0xefbe4786UL
, 0x0fc19dc6UL
, 0x240ca1ccUL
,
375 0x2de92c6fUL
, 0x4a7484aaUL
, 0x5cb0a9dcUL
, 0x76f988daUL
,
376 0x983e5152UL
, 0xa831c66dUL
, 0xb00327c8UL
, 0xbf597fc7UL
,
377 0xc6e00bf3UL
, 0xd5a79147UL
, 0x06ca6351UL
, 0x14292967UL
,
378 0x27b70a85UL
, 0x2e1b2138UL
, 0x4d2c6dfcUL
, 0x53380d13UL
,
379 0x650a7354UL
, 0x766a0abbUL
, 0x81c2c92eUL
, 0x92722c85UL
,
380 0xa2bfe8a1UL
, 0xa81a664bUL
, 0xc24b8b70UL
, 0xc76c51a3UL
,
381 0xd192e819UL
, 0xd6990624UL
, 0xf40e3585UL
, 0x106aa070UL
,
382 0x19a4c116UL
, 0x1e376c08UL
, 0x2748774cUL
, 0x34b0bcb5UL
,
383 0x391c0cb3UL
, 0x4ed8aa4aUL
, 0x5b9cca4fUL
, 0x682e6ff3UL
,
384 0x748f82eeUL
, 0x78a5636fUL
, 0x84c87814UL
, 0x8cc70208UL
,
385 0x90befffaUL
, 0xa4506cebUL
, 0xbef9a3f7UL
, 0xc67178f2UL
,
388 /* Round functions. */
389 #define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) )
390 #define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) )
392 /* Process LEN bytes of BUFFER, accumulating context into CTX.
393 It is assumed that LEN % 64 == 0.
394 Most of this code comes from GnuPG's cipher/sha1.c. */
397 sha256_process_block(const void *buffer
, size_t len
, struct sha256_ctx
*ctx
)
399 const uint32_t *words
= buffer
;
400 size_t nwords
= len
/ sizeof(uint32_t);
401 const uint32_t *endp
= words
+ nwords
;
403 uint32_t a
= ctx
->state
[0];
404 uint32_t b
= ctx
->state
[1];
405 uint32_t c
= ctx
->state
[2];
406 uint32_t d
= ctx
->state
[3];
407 uint32_t e
= ctx
->state
[4];
408 uint32_t f
= ctx
->state
[5];
409 uint32_t g
= ctx
->state
[6];
410 uint32_t h
= ctx
->state
[7];
412 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
413 length of the file up to 2^64 bits. Here we only compute the
414 number of bytes. Do a double word increment. */
415 ctx
->total
[0] += len
;
416 if (ctx
->total
[0] < len
)
419 #define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
420 #define S0(x) (rol(x,25)^rol(x,14)^(x>>3))
421 #define S1(x) (rol(x,15)^rol(x,13)^(x>>10))
422 #define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10))
423 #define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7))
425 #define M(I) ( tm = S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \
426 + S0(x[(I-15)&0x0f]) + x[I&0x0f] \
429 #define R(A,B,C,D,E,F,G,H,K,M) do { t0 = SS0(A) + F2(A,B,C); \
434 D += t1; H = t0 + t1; \
437 while (words
< endp
) {
441 /* FIXME: see sha1.c for a better implementation. */
442 for (t
= 0; t
< 16; t
++) {
447 R(a
, b
, c
, d
, e
, f
, g
, h
, K(0), x
[0]);
448 R(h
, a
, b
, c
, d
, e
, f
, g
, K(1), x
[1]);
449 R(g
, h
, a
, b
, c
, d
, e
, f
, K(2), x
[2]);
450 R(f
, g
, h
, a
, b
, c
, d
, e
, K(3), x
[3]);
451 R(e
, f
, g
, h
, a
, b
, c
, d
, K(4), x
[4]);
452 R(d
, e
, f
, g
, h
, a
, b
, c
, K(5), x
[5]);
453 R(c
, d
, e
, f
, g
, h
, a
, b
, K(6), x
[6]);
454 R(b
, c
, d
, e
, f
, g
, h
, a
, K(7), x
[7]);
455 R(a
, b
, c
, d
, e
, f
, g
, h
, K(8), x
[8]);
456 R(h
, a
, b
, c
, d
, e
, f
, g
, K(9), x
[9]);
457 R(g
, h
, a
, b
, c
, d
, e
, f
, K(10), x
[10]);
458 R(f
, g
, h
, a
, b
, c
, d
, e
, K(11), x
[11]);
459 R(e
, f
, g
, h
, a
, b
, c
, d
, K(12), x
[12]);
460 R(d
, e
, f
, g
, h
, a
, b
, c
, K(13), x
[13]);
461 R(c
, d
, e
, f
, g
, h
, a
, b
, K(14), x
[14]);
462 R(b
, c
, d
, e
, f
, g
, h
, a
, K(15), x
[15]);
463 R(a
, b
, c
, d
, e
, f
, g
, h
, K(16), M(16));
464 R(h
, a
, b
, c
, d
, e
, f
, g
, K(17), M(17));
465 R(g
, h
, a
, b
, c
, d
, e
, f
, K(18), M(18));
466 R(f
, g
, h
, a
, b
, c
, d
, e
, K(19), M(19));
467 R(e
, f
, g
, h
, a
, b
, c
, d
, K(20), M(20));
468 R(d
, e
, f
, g
, h
, a
, b
, c
, K(21), M(21));
469 R(c
, d
, e
, f
, g
, h
, a
, b
, K(22), M(22));
470 R(b
, c
, d
, e
, f
, g
, h
, a
, K(23), M(23));
471 R(a
, b
, c
, d
, e
, f
, g
, h
, K(24), M(24));
472 R(h
, a
, b
, c
, d
, e
, f
, g
, K(25), M(25));
473 R(g
, h
, a
, b
, c
, d
, e
, f
, K(26), M(26));
474 R(f
, g
, h
, a
, b
, c
, d
, e
, K(27), M(27));
475 R(e
, f
, g
, h
, a
, b
, c
, d
, K(28), M(28));
476 R(d
, e
, f
, g
, h
, a
, b
, c
, K(29), M(29));
477 R(c
, d
, e
, f
, g
, h
, a
, b
, K(30), M(30));
478 R(b
, c
, d
, e
, f
, g
, h
, a
, K(31), M(31));
479 R(a
, b
, c
, d
, e
, f
, g
, h
, K(32), M(32));
480 R(h
, a
, b
, c
, d
, e
, f
, g
, K(33), M(33));
481 R(g
, h
, a
, b
, c
, d
, e
, f
, K(34), M(34));
482 R(f
, g
, h
, a
, b
, c
, d
, e
, K(35), M(35));
483 R(e
, f
, g
, h
, a
, b
, c
, d
, K(36), M(36));
484 R(d
, e
, f
, g
, h
, a
, b
, c
, K(37), M(37));
485 R(c
, d
, e
, f
, g
, h
, a
, b
, K(38), M(38));
486 R(b
, c
, d
, e
, f
, g
, h
, a
, K(39), M(39));
487 R(a
, b
, c
, d
, e
, f
, g
, h
, K(40), M(40));
488 R(h
, a
, b
, c
, d
, e
, f
, g
, K(41), M(41));
489 R(g
, h
, a
, b
, c
, d
, e
, f
, K(42), M(42));
490 R(f
, g
, h
, a
, b
, c
, d
, e
, K(43), M(43));
491 R(e
, f
, g
, h
, a
, b
, c
, d
, K(44), M(44));
492 R(d
, e
, f
, g
, h
, a
, b
, c
, K(45), M(45));
493 R(c
, d
, e
, f
, g
, h
, a
, b
, K(46), M(46));
494 R(b
, c
, d
, e
, f
, g
, h
, a
, K(47), M(47));
495 R(a
, b
, c
, d
, e
, f
, g
, h
, K(48), M(48));
496 R(h
, a
, b
, c
, d
, e
, f
, g
, K(49), M(49));
497 R(g
, h
, a
, b
, c
, d
, e
, f
, K(50), M(50));
498 R(f
, g
, h
, a
, b
, c
, d
, e
, K(51), M(51));
499 R(e
, f
, g
, h
, a
, b
, c
, d
, K(52), M(52));
500 R(d
, e
, f
, g
, h
, a
, b
, c
, K(53), M(53));
501 R(c
, d
, e
, f
, g
, h
, a
, b
, K(54), M(54));
502 R(b
, c
, d
, e
, f
, g
, h
, a
, K(55), M(55));
503 R(a
, b
, c
, d
, e
, f
, g
, h
, K(56), M(56));
504 R(h
, a
, b
, c
, d
, e
, f
, g
, K(57), M(57));
505 R(g
, h
, a
, b
, c
, d
, e
, f
, K(58), M(58));
506 R(f
, g
, h
, a
, b
, c
, d
, e
, K(59), M(59));
507 R(e
, f
, g
, h
, a
, b
, c
, d
, K(60), M(60));
508 R(d
, e
, f
, g
, h
, a
, b
, c
, K(61), M(61));
509 R(c
, d
, e
, f
, g
, h
, a
, b
, K(62), M(62));
510 R(b
, c
, d
, e
, f
, g
, h
, a
, K(63), M(63));
512 a
= ctx
->state
[0] += a
;
513 b
= ctx
->state
[1] += b
;
514 c
= ctx
->state
[2] += c
;
515 d
= ctx
->state
[3] += d
;
516 e
= ctx
->state
[4] += e
;
517 f
= ctx
->state
[5] += f
;
518 g
= ctx
->state
[6] += g
;
519 h
= ctx
->state
[7] += h
;