1 /* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
4 Copyright (C) 2005-2006, 2008-2018 Free Software Foundation, Inc.
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <https://www.gnu.org/licenses/>. */
19 /* Written by David Madore, considerably copypasting from
20 Scott G. Miller's sha1.c
25 #if HAVE_OPENSSL_SHA256
26 # define GL_OPENSSL_INLINE _GL_EXTERN_INLINE
36 # include "unlocked-io.h"
39 #ifdef WORDS_BIGENDIAN
43 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
46 #define BLOCKSIZE 32768
47 #if BLOCKSIZE % 64 != 0
48 # error "invalid BLOCKSIZE"
51 #if ! HAVE_OPENSSL_SHA256
52 /* This array contains the bytes used to pad the buffer to the next
54 static const unsigned char fillbuf
[64] = { 0x80, 0 /* , 0, 0, ... */ };
58 Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
59 initializes it to the start constants of the SHA256 algorithm. This
60 must be called before using hash in the call to sha256_hash
63 sha256_init_ctx (struct sha256_ctx
*ctx
)
65 ctx
->state
[0] = 0x6a09e667UL
;
66 ctx
->state
[1] = 0xbb67ae85UL
;
67 ctx
->state
[2] = 0x3c6ef372UL
;
68 ctx
->state
[3] = 0xa54ff53aUL
;
69 ctx
->state
[4] = 0x510e527fUL
;
70 ctx
->state
[5] = 0x9b05688cUL
;
71 ctx
->state
[6] = 0x1f83d9abUL
;
72 ctx
->state
[7] = 0x5be0cd19UL
;
74 ctx
->total
[0] = ctx
->total
[1] = 0;
79 sha224_init_ctx (struct sha256_ctx
*ctx
)
81 ctx
->state
[0] = 0xc1059ed8UL
;
82 ctx
->state
[1] = 0x367cd507UL
;
83 ctx
->state
[2] = 0x3070dd17UL
;
84 ctx
->state
[3] = 0xf70e5939UL
;
85 ctx
->state
[4] = 0xffc00b31UL
;
86 ctx
->state
[5] = 0x68581511UL
;
87 ctx
->state
[6] = 0x64f98fa7UL
;
88 ctx
->state
[7] = 0xbefa4fa4UL
;
90 ctx
->total
[0] = ctx
->total
[1] = 0;
94 /* Copy the value from v into the memory location pointed to by *cp,
95 If your architecture allows unaligned access this is equivalent to
96 * (uint32_t *) cp = v */
98 set_uint32 (char *cp
, uint32_t v
)
100 memcpy (cp
, &v
, sizeof v
);
103 /* Put result from CTX in first 32 bytes following RESBUF. The result
104 must be in little endian byte order. */
106 sha256_read_ctx (const struct sha256_ctx
*ctx
, void *resbuf
)
111 for (i
= 0; i
< 8; i
++)
112 set_uint32 (r
+ i
* sizeof ctx
->state
[0], SWAP (ctx
->state
[i
]));
118 sha224_read_ctx (const struct sha256_ctx
*ctx
, void *resbuf
)
123 for (i
= 0; i
< 7; i
++)
124 set_uint32 (r
+ i
* sizeof ctx
->state
[0], SWAP (ctx
->state
[i
]));
129 /* Process the remaining bytes in the internal buffer and the usual
130 prolog according to the standard and write the result to RESBUF. */
132 sha256_conclude_ctx (struct sha256_ctx
*ctx
)
134 /* Take yet unprocessed bytes into account. */
135 size_t bytes
= ctx
->buflen
;
136 size_t size
= (bytes
< 56) ? 64 / 4 : 64 * 2 / 4;
138 /* Now count remaining bytes. */
139 ctx
->total
[0] += bytes
;
140 if (ctx
->total
[0] < bytes
)
143 /* Put the 64-bit file length in *bits* at the end of the buffer.
144 Use set_uint32 rather than a simple assignment, to avoid risk of
146 set_uint32 ((char *) &ctx
->buffer
[size
- 2],
147 SWAP ((ctx
->total
[1] << 3) | (ctx
->total
[0] >> 29)));
148 set_uint32 ((char *) &ctx
->buffer
[size
- 1],
149 SWAP (ctx
->total
[0] << 3));
151 memcpy (&((char *) ctx
->buffer
)[bytes
], fillbuf
, (size
- 2) * 4 - bytes
);
153 /* Process last bytes. */
154 sha256_process_block (ctx
->buffer
, size
* 4, ctx
);
158 sha256_finish_ctx (struct sha256_ctx
*ctx
, void *resbuf
)
160 sha256_conclude_ctx (ctx
);
161 return sha256_read_ctx (ctx
, resbuf
);
165 sha224_finish_ctx (struct sha256_ctx
*ctx
, void *resbuf
)
167 sha256_conclude_ctx (ctx
);
168 return sha224_read_ctx (ctx
, resbuf
);
172 /* Compute SHA256 message digest for bytes read from STREAM. The
173 resulting message digest number will be written into the 32 bytes
174 beginning at RESBLOCK. */
176 sha256_stream (FILE *stream
, void *resblock
)
178 struct sha256_ctx ctx
;
181 char *buffer
= malloc (BLOCKSIZE
+ 72);
185 /* Initialize the computation context. */
186 sha256_init_ctx (&ctx
);
188 /* Iterate over full file contents. */
191 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
192 computation function processes the whole buffer so that with the
193 next round of the loop another block can be read. */
197 /* Read block. Take care for partial reads. */
200 n
= fread (buffer
+ sum
, 1, BLOCKSIZE
- sum
, stream
);
204 if (sum
== BLOCKSIZE
)
209 /* Check for the error flag IFF N == 0, so that we don't
210 exit the loop after a partial read due to e.g., EAGAIN
217 goto process_partial_block
;
220 /* We've read at least one byte, so ignore errors. But always
221 check for EOF, since feof may be true even though N > 0.
222 Otherwise, we could end up calling fread after EOF. */
224 goto process_partial_block
;
227 /* Process buffer with BLOCKSIZE bytes. Note that
230 sha256_process_block (buffer
, BLOCKSIZE
, &ctx
);
233 process_partial_block
:;
235 /* Process any remaining bytes. */
237 sha256_process_bytes (buffer
, sum
, &ctx
);
239 /* Construct result in desired memory. */
240 sha256_finish_ctx (&ctx
, resblock
);
245 /* FIXME: Avoid code duplication */
247 sha224_stream (FILE *stream
, void *resblock
)
249 struct sha256_ctx ctx
;
252 char *buffer
= malloc (BLOCKSIZE
+ 72);
256 /* Initialize the computation context. */
257 sha224_init_ctx (&ctx
);
259 /* Iterate over full file contents. */
262 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
263 computation function processes the whole buffer so that with the
264 next round of the loop another block can be read. */
268 /* Read block. Take care for partial reads. */
271 n
= fread (buffer
+ sum
, 1, BLOCKSIZE
- sum
, stream
);
275 if (sum
== BLOCKSIZE
)
280 /* Check for the error flag IFF N == 0, so that we don't
281 exit the loop after a partial read due to e.g., EAGAIN
288 goto process_partial_block
;
291 /* We've read at least one byte, so ignore errors. But always
292 check for EOF, since feof may be true even though N > 0.
293 Otherwise, we could end up calling fread after EOF. */
295 goto process_partial_block
;
298 /* Process buffer with BLOCKSIZE bytes. Note that
301 sha256_process_block (buffer
, BLOCKSIZE
, &ctx
);
304 process_partial_block
:;
306 /* Process any remaining bytes. */
308 sha256_process_bytes (buffer
, sum
, &ctx
);
310 /* Construct result in desired memory. */
311 sha224_finish_ctx (&ctx
, resblock
);
316 #if ! HAVE_OPENSSL_SHA256
317 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The
318 result is always in little endian byte order, so that a byte-wise
319 output yields to the wanted ASCII representation of the message
322 sha256_buffer (const char *buffer
, size_t len
, void *resblock
)
324 struct sha256_ctx ctx
;
326 /* Initialize the computation context. */
327 sha256_init_ctx (&ctx
);
329 /* Process whole buffer but last len % 64 bytes. */
330 sha256_process_bytes (buffer
, len
, &ctx
);
332 /* Put result in desired memory area. */
333 return sha256_finish_ctx (&ctx
, resblock
);
337 sha224_buffer (const char *buffer
, size_t len
, void *resblock
)
339 struct sha256_ctx ctx
;
341 /* Initialize the computation context. */
342 sha224_init_ctx (&ctx
);
344 /* Process whole buffer but last len % 64 bytes. */
345 sha256_process_bytes (buffer
, len
, &ctx
);
347 /* Put result in desired memory area. */
348 return sha224_finish_ctx (&ctx
, resblock
);
352 sha256_process_bytes (const void *buffer
, size_t len
, struct sha256_ctx
*ctx
)
354 /* When we already have some bits in our internal buffer concatenate
355 both inputs first. */
356 if (ctx
->buflen
!= 0)
358 size_t left_over
= ctx
->buflen
;
359 size_t add
= 128 - left_over
> len
? len
: 128 - left_over
;
361 memcpy (&((char *) ctx
->buffer
)[left_over
], buffer
, add
);
364 if (ctx
->buflen
> 64)
366 sha256_process_block (ctx
->buffer
, ctx
->buflen
& ~63, ctx
);
369 /* The regions in the following copy operation cannot overlap,
370 because ctx->buflen < 64 ≤ (left_over + add) & ~63. */
372 &((char *) ctx
->buffer
)[(left_over
+ add
) & ~63],
376 buffer
= (const char *) buffer
+ add
;
380 /* Process available complete blocks. */
383 #if !(_STRING_ARCH_unaligned || _STRING_INLINE_unaligned)
384 # define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (uint32_t) != 0)
385 if (UNALIGNED_P (buffer
))
388 sha256_process_block (memcpy (ctx
->buffer
, buffer
, 64), 64, ctx
);
389 buffer
= (const char *) buffer
+ 64;
395 sha256_process_block (buffer
, len
& ~63, ctx
);
396 buffer
= (const char *) buffer
+ (len
& ~63);
401 /* Move remaining bytes in internal buffer. */
404 size_t left_over
= ctx
->buflen
;
406 memcpy (&((char *) ctx
->buffer
)[left_over
], buffer
, len
);
410 sha256_process_block (ctx
->buffer
, 64, ctx
);
412 /* The regions in the following copy operation cannot overlap,
413 because left_over ≤ 64. */
414 memcpy (ctx
->buffer
, &ctx
->buffer
[16], left_over
);
416 ctx
->buflen
= left_over
;
420 /* --- Code below is the primary difference between sha1.c and sha256.c --- */
422 /* SHA256 round constants */
423 #define K(I) sha256_round_constants[I]
424 static const uint32_t sha256_round_constants
[64] = {
425 0x428a2f98UL
, 0x71374491UL
, 0xb5c0fbcfUL
, 0xe9b5dba5UL
,
426 0x3956c25bUL
, 0x59f111f1UL
, 0x923f82a4UL
, 0xab1c5ed5UL
,
427 0xd807aa98UL
, 0x12835b01UL
, 0x243185beUL
, 0x550c7dc3UL
,
428 0x72be5d74UL
, 0x80deb1feUL
, 0x9bdc06a7UL
, 0xc19bf174UL
,
429 0xe49b69c1UL
, 0xefbe4786UL
, 0x0fc19dc6UL
, 0x240ca1ccUL
,
430 0x2de92c6fUL
, 0x4a7484aaUL
, 0x5cb0a9dcUL
, 0x76f988daUL
,
431 0x983e5152UL
, 0xa831c66dUL
, 0xb00327c8UL
, 0xbf597fc7UL
,
432 0xc6e00bf3UL
, 0xd5a79147UL
, 0x06ca6351UL
, 0x14292967UL
,
433 0x27b70a85UL
, 0x2e1b2138UL
, 0x4d2c6dfcUL
, 0x53380d13UL
,
434 0x650a7354UL
, 0x766a0abbUL
, 0x81c2c92eUL
, 0x92722c85UL
,
435 0xa2bfe8a1UL
, 0xa81a664bUL
, 0xc24b8b70UL
, 0xc76c51a3UL
,
436 0xd192e819UL
, 0xd6990624UL
, 0xf40e3585UL
, 0x106aa070UL
,
437 0x19a4c116UL
, 0x1e376c08UL
, 0x2748774cUL
, 0x34b0bcb5UL
,
438 0x391c0cb3UL
, 0x4ed8aa4aUL
, 0x5b9cca4fUL
, 0x682e6ff3UL
,
439 0x748f82eeUL
, 0x78a5636fUL
, 0x84c87814UL
, 0x8cc70208UL
,
440 0x90befffaUL
, 0xa4506cebUL
, 0xbef9a3f7UL
, 0xc67178f2UL
,
443 /* Round functions. */
444 #define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) )
445 #define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) )
447 /* Process LEN bytes of BUFFER, accumulating context into CTX.
448 It is assumed that LEN % 64 == 0.
449 Most of this code comes from GnuPG's cipher/sha1.c. */
452 sha256_process_block (const void *buffer
, size_t len
, struct sha256_ctx
*ctx
)
454 const uint32_t *words
= buffer
;
455 size_t nwords
= len
/ sizeof (uint32_t);
456 const uint32_t *endp
= words
+ nwords
;
458 uint32_t a
= ctx
->state
[0];
459 uint32_t b
= ctx
->state
[1];
460 uint32_t c
= ctx
->state
[2];
461 uint32_t d
= ctx
->state
[3];
462 uint32_t e
= ctx
->state
[4];
463 uint32_t f
= ctx
->state
[5];
464 uint32_t g
= ctx
->state
[6];
465 uint32_t h
= ctx
->state
[7];
466 uint32_t lolen
= len
;
468 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
469 length of the file up to 2^64 bits. Here we only compute the
470 number of bytes. Do a double word increment. */
471 ctx
->total
[0] += lolen
;
472 ctx
->total
[1] += (len
>> 31 >> 1) + (ctx
->total
[0] < lolen
);
474 #define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
475 #define S0(x) (rol(x,25)^rol(x,14)^(x>>3))
476 #define S1(x) (rol(x,15)^rol(x,13)^(x>>10))
477 #define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10))
478 #define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7))
480 #define M(I) ( tm = S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \
481 + S0(x[(I-15)&0x0f]) + x[I&0x0f] \
484 #define R(A,B,C,D,E,F,G,H,K,M) do { t0 = SS0(A) + F2(A,B,C); \
489 D += t1; H = t0 + t1; \
497 /* FIXME: see sha1.c for a better implementation. */
498 for (t
= 0; t
< 16; t
++)
500 x
[t
] = SWAP (*words
);
504 R( a
, b
, c
, d
, e
, f
, g
, h
, K( 0), x
[ 0] );
505 R( h
, a
, b
, c
, d
, e
, f
, g
, K( 1), x
[ 1] );
506 R( g
, h
, a
, b
, c
, d
, e
, f
, K( 2), x
[ 2] );
507 R( f
, g
, h
, a
, b
, c
, d
, e
, K( 3), x
[ 3] );
508 R( e
, f
, g
, h
, a
, b
, c
, d
, K( 4), x
[ 4] );
509 R( d
, e
, f
, g
, h
, a
, b
, c
, K( 5), x
[ 5] );
510 R( c
, d
, e
, f
, g
, h
, a
, b
, K( 6), x
[ 6] );
511 R( b
, c
, d
, e
, f
, g
, h
, a
, K( 7), x
[ 7] );
512 R( a
, b
, c
, d
, e
, f
, g
, h
, K( 8), x
[ 8] );
513 R( h
, a
, b
, c
, d
, e
, f
, g
, K( 9), x
[ 9] );
514 R( g
, h
, a
, b
, c
, d
, e
, f
, K(10), x
[10] );
515 R( f
, g
, h
, a
, b
, c
, d
, e
, K(11), x
[11] );
516 R( e
, f
, g
, h
, a
, b
, c
, d
, K(12), x
[12] );
517 R( d
, e
, f
, g
, h
, a
, b
, c
, K(13), x
[13] );
518 R( c
, d
, e
, f
, g
, h
, a
, b
, K(14), x
[14] );
519 R( b
, c
, d
, e
, f
, g
, h
, a
, K(15), x
[15] );
520 R( a
, b
, c
, d
, e
, f
, g
, h
, K(16), M(16) );
521 R( h
, a
, b
, c
, d
, e
, f
, g
, K(17), M(17) );
522 R( g
, h
, a
, b
, c
, d
, e
, f
, K(18), M(18) );
523 R( f
, g
, h
, a
, b
, c
, d
, e
, K(19), M(19) );
524 R( e
, f
, g
, h
, a
, b
, c
, d
, K(20), M(20) );
525 R( d
, e
, f
, g
, h
, a
, b
, c
, K(21), M(21) );
526 R( c
, d
, e
, f
, g
, h
, a
, b
, K(22), M(22) );
527 R( b
, c
, d
, e
, f
, g
, h
, a
, K(23), M(23) );
528 R( a
, b
, c
, d
, e
, f
, g
, h
, K(24), M(24) );
529 R( h
, a
, b
, c
, d
, e
, f
, g
, K(25), M(25) );
530 R( g
, h
, a
, b
, c
, d
, e
, f
, K(26), M(26) );
531 R( f
, g
, h
, a
, b
, c
, d
, e
, K(27), M(27) );
532 R( e
, f
, g
, h
, a
, b
, c
, d
, K(28), M(28) );
533 R( d
, e
, f
, g
, h
, a
, b
, c
, K(29), M(29) );
534 R( c
, d
, e
, f
, g
, h
, a
, b
, K(30), M(30) );
535 R( b
, c
, d
, e
, f
, g
, h
, a
, K(31), M(31) );
536 R( a
, b
, c
, d
, e
, f
, g
, h
, K(32), M(32) );
537 R( h
, a
, b
, c
, d
, e
, f
, g
, K(33), M(33) );
538 R( g
, h
, a
, b
, c
, d
, e
, f
, K(34), M(34) );
539 R( f
, g
, h
, a
, b
, c
, d
, e
, K(35), M(35) );
540 R( e
, f
, g
, h
, a
, b
, c
, d
, K(36), M(36) );
541 R( d
, e
, f
, g
, h
, a
, b
, c
, K(37), M(37) );
542 R( c
, d
, e
, f
, g
, h
, a
, b
, K(38), M(38) );
543 R( b
, c
, d
, e
, f
, g
, h
, a
, K(39), M(39) );
544 R( a
, b
, c
, d
, e
, f
, g
, h
, K(40), M(40) );
545 R( h
, a
, b
, c
, d
, e
, f
, g
, K(41), M(41) );
546 R( g
, h
, a
, b
, c
, d
, e
, f
, K(42), M(42) );
547 R( f
, g
, h
, a
, b
, c
, d
, e
, K(43), M(43) );
548 R( e
, f
, g
, h
, a
, b
, c
, d
, K(44), M(44) );
549 R( d
, e
, f
, g
, h
, a
, b
, c
, K(45), M(45) );
550 R( c
, d
, e
, f
, g
, h
, a
, b
, K(46), M(46) );
551 R( b
, c
, d
, e
, f
, g
, h
, a
, K(47), M(47) );
552 R( a
, b
, c
, d
, e
, f
, g
, h
, K(48), M(48) );
553 R( h
, a
, b
, c
, d
, e
, f
, g
, K(49), M(49) );
554 R( g
, h
, a
, b
, c
, d
, e
, f
, K(50), M(50) );
555 R( f
, g
, h
, a
, b
, c
, d
, e
, K(51), M(51) );
556 R( e
, f
, g
, h
, a
, b
, c
, d
, K(52), M(52) );
557 R( d
, e
, f
, g
, h
, a
, b
, c
, K(53), M(53) );
558 R( c
, d
, e
, f
, g
, h
, a
, b
, K(54), M(54) );
559 R( b
, c
, d
, e
, f
, g
, h
, a
, K(55), M(55) );
560 R( a
, b
, c
, d
, e
, f
, g
, h
, K(56), M(56) );
561 R( h
, a
, b
, c
, d
, e
, f
, g
, K(57), M(57) );
562 R( g
, h
, a
, b
, c
, d
, e
, f
, K(58), M(58) );
563 R( f
, g
, h
, a
, b
, c
, d
, e
, K(59), M(59) );
564 R( e
, f
, g
, h
, a
, b
, c
, d
, K(60), M(60) );
565 R( d
, e
, f
, g
, h
, a
, b
, c
, K(61), M(61) );
566 R( c
, d
, e
, f
, g
, h
, a
, b
, K(62), M(62) );
567 R( b
, c
, d
, e
, f
, g
, h
, a
, K(63), M(63) );
569 a
= ctx
->state
[0] += a
;
570 b
= ctx
->state
[1] += b
;
571 c
= ctx
->state
[2] += c
;
572 d
= ctx
->state
[3] += d
;
573 e
= ctx
->state
[4] += e
;
574 f
= ctx
->state
[5] += f
;
575 g
= ctx
->state
[6] += g
;
576 h
= ctx
->state
[7] += h
;