search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
seq no longer mishandles cases like "seq 0 0.000001 0.000003",
[coreutils/ericb.git] / lib / sha256.c
blobd23c509dc33846dbcc0f1e455e8e1734b8f9705a
1 /* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
3
4 Copyright (C) 2005, 2006 Free Software Foundation, Inc.
5
6 This program is free software; you can redistribute it and/or modify it
7 under the terms of the GNU General Public License as published by the
8 Free Software Foundation; either version 2, or (at your option) any
9 later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software Foundation,
18 Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */
19
20 /* Written by David Madore, considerably copypasting from
21 Scott G. Miller's sha1.c
22 */
23
24 #include <config.h>
25
26 #include "sha256.h"
27
28 #include <stddef.h>
29 #include <string.h>
30
31 #if USE_UNLOCKED_IO
32 # include "unlocked-io.h"
33 #endif
34
35 #ifdef WORDS_BIGENDIAN
36 # define SWAP(n) (n)
37 #else
38 # define SWAP(n) \
39 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
40 #endif
41
42 #define BLOCKSIZE 4096
43 #if BLOCKSIZE % 64 != 0
44 # error "invalid BLOCKSIZE"
45 #endif
46
47 /* This array contains the bytes used to pad the buffer to the next
48 64-byte boundary. */
49 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
50
51
52 /*
53 Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
54 intializes it to the start constants of the SHA256 algorithm. This
55 must be called before using hash in the call to sha256_hash
56 */
57 void
58 sha256_init_ctx (struct sha256_ctx *ctx)
59 {
60 ctx->state[0] = 0x6a09e667UL;
61 ctx->state[1] = 0xbb67ae85UL;
62 ctx->state[2] = 0x3c6ef372UL;
63 ctx->state[3] = 0xa54ff53aUL;
64 ctx->state[4] = 0x510e527fUL;
65 ctx->state[5] = 0x9b05688cUL;
66 ctx->state[6] = 0x1f83d9abUL;
67 ctx->state[7] = 0x5be0cd19UL;
68
69 ctx->total[0] = ctx->total[1] = 0;
70 ctx->buflen = 0;
71 }
72
73 void
74 sha224_init_ctx (struct sha256_ctx *ctx)
75 {
76 ctx->state[0] = 0xc1059ed8UL;
77 ctx->state[1] = 0x367cd507UL;
78 ctx->state[2] = 0x3070dd17UL;
79 ctx->state[3] = 0xf70e5939UL;
80 ctx->state[4] = 0xffc00b31UL;
81 ctx->state[5] = 0x68581511UL;
82 ctx->state[6] = 0x64f98fa7UL;
83 ctx->state[7] = 0xbefa4fa4UL;
84
85 ctx->total[0] = ctx->total[1] = 0;
86 ctx->buflen = 0;
87 }
88
89 /* Put result from CTX in first 32 bytes following RESBUF. The result
90 must be in little endian byte order.
91
92 IMPORTANT: On some systems it is required that RESBUF is correctly
93 aligned for a 32-bit value. */
94 void *
95 sha256_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
96 {
97 int i;
98
99 for (i = 0; i < 8; i++)
100 ((uint32_t *) resbuf)[i] = SWAP (ctx->state[i]);
101
102 return resbuf;
103 }
104
105 void *
106 sha224_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
107 {
108 int i;
109
110 for (i = 0; i < 7; i++)
111 ((uint32_t *) resbuf)[i] = SWAP (ctx->state[i]);
112
113 return resbuf;
114 }
115
116 /* Process the remaining bytes in the internal buffer and the usual
117 prolog according to the standard and write the result to RESBUF.
118
119 IMPORTANT: On some systems it is required that RESBUF is correctly
120 aligned for a 32-bit value. */
121 static void
122 sha256_conclude_ctx (struct sha256_ctx *ctx)
123 {
124 /* Take yet unprocessed bytes into account. */
125 uint32_t bytes = ctx->buflen;
126 size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
127
128 /* Now count remaining bytes. */
129 ctx->total[0] += bytes;
130 if (ctx->total[0] < bytes)
131 ++ctx->total[1];
132
133 /* Put the 64-bit file length in *bits* at the end of the buffer. */
134 ctx->buffer[size - 2] = SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29));
135 ctx->buffer[size - 1] = SWAP (ctx->total[0] << 3);
136
137 memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
138
139 /* Process last bytes. */
140 sha256_process_block (ctx->buffer, size * 4, ctx);
141 }
142
143 void *
144 sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
145 {
146 sha256_conclude_ctx (ctx);
147 return sha256_read_ctx (ctx, resbuf);
148 }
149
150 void *
151 sha224_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
152 {
153 sha256_conclude_ctx (ctx);
154 return sha224_read_ctx (ctx, resbuf);
155 }
156
157 /* Compute SHA256 message digest for bytes read from STREAM. The
158 resulting message digest number will be written into the 32 bytes
159 beginning at RESBLOCK. */
160 int
161 sha256_stream (FILE *stream, void *resblock)
162 {
163 struct sha256_ctx ctx;
164 char buffer[BLOCKSIZE + 72];
165 size_t sum;
166
167 /* Initialize the computation context. */
168 sha256_init_ctx (&ctx);
169
170 /* Iterate over full file contents. */
171 while (1)
172 {
173 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
174 computation function processes the whole buffer so that with the
175 next round of the loop another block can be read. */
176 size_t n;
177 sum = 0;
178
179 /* Read block. Take care for partial reads. */
180 while (1)
181 {
182 n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
183
184 sum += n;
185
186 if (sum == BLOCKSIZE)
187 break;
188
189 if (n == 0)
190 {
191 /* Check for the error flag IFF N == 0, so that we don't
192 exit the loop after a partial read due to e.g., EAGAIN
193 or EWOULDBLOCK. */
194 if (ferror (stream))
195 return 1;
196 goto process_partial_block;
197 }
198
199 /* We've read at least one byte, so ignore errors. But always
200 check for EOF, since feof may be true even though N > 0.
201 Otherwise, we could end up calling fread after EOF. */
202 if (feof (stream))
203 goto process_partial_block;
204 }
205
206 /* Process buffer with BLOCKSIZE bytes. Note that
207 BLOCKSIZE % 64 == 0
208 */
209 sha256_process_block (buffer, BLOCKSIZE, &ctx);
210 }
211
212 process_partial_block:;
213
214 /* Process any remaining bytes. */
215 if (sum > 0)
216 sha256_process_bytes (buffer, sum, &ctx);
217
218 /* Construct result in desired memory. */
219 sha256_finish_ctx (&ctx, resblock);
220 return 0;
221 }
222
223 /* FIXME: Avoid code duplication */
224 int
225 sha224_stream (FILE *stream, void *resblock)
226 {
227 struct sha256_ctx ctx;
228 char buffer[BLOCKSIZE + 72];
229 size_t sum;
230
231 /* Initialize the computation context. */
232 sha224_init_ctx (&ctx);
233
234 /* Iterate over full file contents. */
235 while (1)
236 {
237 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
238 computation function processes the whole buffer so that with the
239 next round of the loop another block can be read. */
240 size_t n;
241 sum = 0;
242
243 /* Read block. Take care for partial reads. */
244 while (1)
245 {
246 n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
247
248 sum += n;
249
250 if (sum == BLOCKSIZE)
251 break;
252
253 if (n == 0)
254 {
255 /* Check for the error flag IFF N == 0, so that we don't
256 exit the loop after a partial read due to e.g., EAGAIN
257 or EWOULDBLOCK. */
258 if (ferror (stream))
259 return 1;
260 goto process_partial_block;
261 }
262
263 /* We've read at least one byte, so ignore errors. But always
264 check for EOF, since feof may be true even though N > 0.
265 Otherwise, we could end up calling fread after EOF. */
266 if (feof (stream))
267 goto process_partial_block;
268 }
269
270 /* Process buffer with BLOCKSIZE bytes. Note that
271 BLOCKSIZE % 64 == 0
272 */
273 sha256_process_block (buffer, BLOCKSIZE, &ctx);
274 }
275
276 process_partial_block:;
277
278 /* Process any remaining bytes. */
279 if (sum > 0)
280 sha256_process_bytes (buffer, sum, &ctx);
281
282 /* Construct result in desired memory. */
283 sha224_finish_ctx (&ctx, resblock);
284 return 0;
285 }
286
287 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The
288 result is always in little endian byte order, so that a byte-wise
289 output yields to the wanted ASCII representation of the message
290 digest. */
291 void *
292 sha256_buffer (const char *buffer, size_t len, void *resblock)
293 {
294 struct sha256_ctx ctx;
295
296 /* Initialize the computation context. */
297 sha256_init_ctx (&ctx);
298
299 /* Process whole buffer but last len % 64 bytes. */
300 sha256_process_bytes (buffer, len, &ctx);
301
302 /* Put result in desired memory area. */
303 return sha256_finish_ctx (&ctx, resblock);
304 }
305
306 void *
307 sha224_buffer (const char *buffer, size_t len, void *resblock)
308 {
309 struct sha256_ctx ctx;
310
311 /* Initialize the computation context. */
312 sha224_init_ctx (&ctx);
313
314 /* Process whole buffer but last len % 64 bytes. */
315 sha256_process_bytes (buffer, len, &ctx);
316
317 /* Put result in desired memory area. */
318 return sha224_finish_ctx (&ctx, resblock);
319 }
320
321 void
322 sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
323 {
324 /* When we already have some bits in our internal buffer concatenate
325 both inputs first. */
326 if (ctx->buflen != 0)
327 {
328 size_t left_over = ctx->buflen;
329 size_t add = 128 - left_over > len ? len : 128 - left_over;
330
331 memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
332 ctx->buflen += add;
333
334 if (ctx->buflen > 64)
335 {
336 sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
337
338 ctx->buflen &= 63;
339 /* The regions in the following copy operation cannot overlap. */
340 memcpy (ctx->buffer,
341 &((char *) ctx->buffer)[(left_over + add) & ~63],
342 ctx->buflen);
343 }
344
345 buffer = (const char *) buffer + add;
346 len -= add;
347 }
348
349 /* Process available complete blocks. */
350 if (len >= 64)
351 {
352 #if !_STRING_ARCH_unaligned
353 # define alignof(type) offsetof (struct { char c; type x; }, x)
354 # define UNALIGNED_P(p) (((size_t) p) % alignof (uint32_t) != 0)
355 if (UNALIGNED_P (buffer))
356 while (len > 64)
357 {
358 sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
359 buffer = (const char *) buffer + 64;
360 len -= 64;
361 }
362 else
363 #endif
364 {
365 sha256_process_block (buffer, len & ~63, ctx);
366 buffer = (const char *) buffer + (len & ~63);
367 len &= 63;
368 }
369 }
370
371 /* Move remaining bytes in internal buffer. */
372 if (len > 0)
373 {
374 size_t left_over = ctx->buflen;
375
376 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
377 left_over += len;
378 if (left_over >= 64)
379 {
380 sha256_process_block (ctx->buffer, 64, ctx);
381 left_over -= 64;
382 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
383 }
384 ctx->buflen = left_over;
385 }
386 }
387
388 /* --- Code below is the primary difference between sha1.c and sha256.c --- */
389
390 /* SHA256 round constants */
391 #define K(I) sha256_round_constants[I]
392 static const uint32_t sha256_round_constants[64] = {
393 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
394 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
395 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
396 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
397 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
398 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
399 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
400 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
401 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
402 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
403 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
404 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
405 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
406 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
407 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
408 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
409 };
410
411 /* Round functions. */
412 #define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) )
413 #define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) )
414
415 /* Process LEN bytes of BUFFER, accumulating context into CTX.
416 It is assumed that LEN % 64 == 0.
417 Most of this code comes from GnuPG's cipher/sha1.c. */
418
419 void
420 sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
421 {
422 const uint32_t *words = buffer;
423 size_t nwords = len / sizeof (uint32_t);
424 const uint32_t *endp = words + nwords;
425 uint32_t x[16];
426 uint32_t a = ctx->state[0];
427 uint32_t b = ctx->state[1];
428 uint32_t c = ctx->state[2];
429 uint32_t d = ctx->state[3];
430 uint32_t e = ctx->state[4];
431 uint32_t f = ctx->state[5];
432 uint32_t g = ctx->state[6];
433 uint32_t h = ctx->state[7];
434
435 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
436 length of the file up to 2^64 bits. Here we only compute the
437 number of bytes. Do a double word increment. */
438 ctx->total[0] += len;
439 if (ctx->total[0] < len)
440 ++ctx->total[1];
441
442 #define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
443 #define S0(x) (rol(x,25)^rol(x,14)^(x>>3))
444 #define S1(x) (rol(x,15)^rol(x,13)^(x>>10))
445 #define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10))
446 #define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7))
447
448 #define M(I) ( tm = S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \
449 + S0(x[(I-15)&0x0f]) + x[I&0x0f] \
450 , x[I&0x0f] = tm )
451
452 #define R(A,B,C,D,E,F,G,H,K,M) do { t0 = SS0(A) + F2(A,B,C); \
453 t1 = H + SS1(E) \
454 + F1(E,F,G) \
455 + K \
456 + M; \
457 D += t1; H = t0 + t1; \
458 } while(0)
459
460 while (words < endp)
461 {
462 uint32_t tm;
463 uint32_t t0, t1;
464 int t;
465 /* FIXME: see sha1.c for a better implementation. */
466 for (t = 0; t < 16; t++)
467 {
468 x[t] = SWAP (*words);
469 words++;
470 }
471
472 R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
473 R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
474 R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
475 R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
476 R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
477 R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
478 R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
479 R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
480 R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
481 R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
482 R( g, h, a, b, c, d, e, f, K(10), x[10] );
483 R( f, g, h, a, b, c, d, e, K(11), x[11] );
484 R( e, f, g, h, a, b, c, d, K(12), x[12] );
485 R( d, e, f, g, h, a, b, c, K(13), x[13] );
486 R( c, d, e, f, g, h, a, b, K(14), x[14] );
487 R( b, c, d, e, f, g, h, a, K(15), x[15] );
488 R( a, b, c, d, e, f, g, h, K(16), M(16) );
489 R( h, a, b, c, d, e, f, g, K(17), M(17) );
490 R( g, h, a, b, c, d, e, f, K(18), M(18) );
491 R( f, g, h, a, b, c, d, e, K(19), M(19) );
492 R( e, f, g, h, a, b, c, d, K(20), M(20) );
493 R( d, e, f, g, h, a, b, c, K(21), M(21) );
494 R( c, d, e, f, g, h, a, b, K(22), M(22) );
495 R( b, c, d, e, f, g, h, a, K(23), M(23) );
496 R( a, b, c, d, e, f, g, h, K(24), M(24) );
497 R( h, a, b, c, d, e, f, g, K(25), M(25) );
498 R( g, h, a, b, c, d, e, f, K(26), M(26) );
499 R( f, g, h, a, b, c, d, e, K(27), M(27) );
500 R( e, f, g, h, a, b, c, d, K(28), M(28) );
501 R( d, e, f, g, h, a, b, c, K(29), M(29) );
502 R( c, d, e, f, g, h, a, b, K(30), M(30) );
503 R( b, c, d, e, f, g, h, a, K(31), M(31) );
504 R( a, b, c, d, e, f, g, h, K(32), M(32) );
505 R( h, a, b, c, d, e, f, g, K(33), M(33) );
506 R( g, h, a, b, c, d, e, f, K(34), M(34) );
507 R( f, g, h, a, b, c, d, e, K(35), M(35) );
508 R( e, f, g, h, a, b, c, d, K(36), M(36) );
509 R( d, e, f, g, h, a, b, c, K(37), M(37) );
510 R( c, d, e, f, g, h, a, b, K(38), M(38) );
511 R( b, c, d, e, f, g, h, a, K(39), M(39) );
512 R( a, b, c, d, e, f, g, h, K(40), M(40) );
513 R( h, a, b, c, d, e, f, g, K(41), M(41) );
514 R( g, h, a, b, c, d, e, f, K(42), M(42) );
515 R( f, g, h, a, b, c, d, e, K(43), M(43) );
516 R( e, f, g, h, a, b, c, d, K(44), M(44) );
517 R( d, e, f, g, h, a, b, c, K(45), M(45) );
518 R( c, d, e, f, g, h, a, b, K(46), M(46) );
519 R( b, c, d, e, f, g, h, a, K(47), M(47) );
520 R( a, b, c, d, e, f, g, h, K(48), M(48) );
521 R( h, a, b, c, d, e, f, g, K(49), M(49) );
522 R( g, h, a, b, c, d, e, f, K(50), M(50) );
523 R( f, g, h, a, b, c, d, e, K(51), M(51) );
524 R( e, f, g, h, a, b, c, d, K(52), M(52) );
525 R( d, e, f, g, h, a, b, c, K(53), M(53) );
526 R( c, d, e, f, g, h, a, b, K(54), M(54) );
527 R( b, c, d, e, f, g, h, a, K(55), M(55) );
528 R( a, b, c, d, e, f, g, h, K(56), M(56) );
529 R( h, a, b, c, d, e, f, g, K(57), M(57) );
530 R( g, h, a, b, c, d, e, f, K(58), M(58) );
531 R( f, g, h, a, b, c, d, e, K(59), M(59) );
532 R( e, f, g, h, a, b, c, d, K(60), M(60) );
533 R( d, e, f, g, h, a, b, c, K(61), M(61) );
534 R( c, d, e, f, g, h, a, b, K(62), M(62) );
535 R( b, c, d, e, f, g, h, a, K(63), M(63) );
536
537 a = ctx->state[0] += a;
538 b = ctx->state[1] += b;
539 c = ctx->state[2] += c;
540 d = ctx->state[3] += d;
541 e = ctx->state[4] += e;
542 f = ctx->state[5] += f;
543 g = ctx->state[6] += g;
544 h = ctx->state[7] += h;
545 }
546 }
Eric Blake's GNU coreutils patches