root/lib/sha256.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. sha256_init_ctx
  2. sha224_init_ctx
  3. set_uint32
  4. sha256_read_ctx
  5. sha224_read_ctx
  6. sha256_conclude_ctx
  7. sha256_finish_ctx
  8. sha224_finish_ctx
  9. sha256_buffer
  10. sha224_buffer
  11. sha256_process_bytes
  12. sha256_process_block
     1 /* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or
     2    memory blocks according to the NIST specification FIPS-180-2.
     3 
     4    Copyright (C) 2005-2006, 2008-2023 Free Software Foundation, Inc.
     5 
     6    This file is free software: you can redistribute it and/or modify
     7    it under the terms of the GNU Lesser General Public License as
     8    published by the Free Software Foundation; either version 2.1 of the
     9    License, or (at your option) any later version.
    10 
    11    This file is distributed in the hope that it will be useful,
    12    but WITHOUT ANY WARRANTY; without even the implied warranty of
    13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    14    GNU Lesser General Public License for more details.
    15 
    16    You should have received a copy of the GNU Lesser General Public License
    17    along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
    18 
    19 /* Written by David Madore, considerably copypasting from
    20    Scott G. Miller's sha1.c
    21 */
    22 
    23 #include <config.h>
    24 
    25 /* Specification.  */
    26 #if HAVE_OPENSSL_SHA256
    27 # define GL_OPENSSL_INLINE _GL_EXTERN_INLINE
    28 #endif
    29 #include "sha256.h"
    30 
    31 #include <stdint.h>
    32 #include <string.h>
    33 
    34 #include <byteswap.h>
    35 #ifdef WORDS_BIGENDIAN
    36 # define SWAP(n) (n)
    37 #else
    38 # define SWAP(n) bswap_32 (n)
    39 #endif
    40 
    41 #if ! HAVE_OPENSSL_SHA256
    42 
    43 /* This array contains the bytes used to pad the buffer to the next
    44    64-byte boundary.  */
    45 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ...  */ };
    46 
    47 
    48 /*
    49   Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
    50   initializes it to the start constants of the SHA256 algorithm.  This
    51   must be called before using hash in the call to sha256_hash
    52 */
    53 void
    54 sha256_init_ctx (struct sha256_ctx *ctx)
    55 {
    56   ctx->state[0] = 0x6a09e667UL;
    57   ctx->state[1] = 0xbb67ae85UL;
    58   ctx->state[2] = 0x3c6ef372UL;
    59   ctx->state[3] = 0xa54ff53aUL;
    60   ctx->state[4] = 0x510e527fUL;
    61   ctx->state[5] = 0x9b05688cUL;
    62   ctx->state[6] = 0x1f83d9abUL;
    63   ctx->state[7] = 0x5be0cd19UL;
    64 
    65   ctx->total[0] = ctx->total[1] = 0;
    66   ctx->buflen = 0;
    67 }
    68 
    69 void
    70 sha224_init_ctx (struct sha256_ctx *ctx)
    71 {
    72   ctx->state[0] = 0xc1059ed8UL;
    73   ctx->state[1] = 0x367cd507UL;
    74   ctx->state[2] = 0x3070dd17UL;
    75   ctx->state[3] = 0xf70e5939UL;
    76   ctx->state[4] = 0xffc00b31UL;
    77   ctx->state[5] = 0x68581511UL;
    78   ctx->state[6] = 0x64f98fa7UL;
    79   ctx->state[7] = 0xbefa4fa4UL;
    80 
    81   ctx->total[0] = ctx->total[1] = 0;
    82   ctx->buflen = 0;
    83 }
    84 
    85 /* Copy the value from v into the memory location pointed to by *CP,
    86    If your architecture allows unaligned access, this is equivalent to
    87    * (__typeof__ (v) *) cp = v  */
    88 static void
    89 set_uint32 (char *cp, uint32_t v)
    90 {
    91   memcpy (cp, &v, sizeof v);
    92 }
    93 
    94 /* Put result from CTX in first 32 bytes following RESBUF.
    95    The result must be in little endian byte order.  */
    96 void *
    97 sha256_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
    98 {
    99   int i;
   100   char *r = resbuf;
   101 
   102   for (i = 0; i < 8; i++)
   103     set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
   104 
   105   return resbuf;
   106 }
   107 
   108 void *
   109 sha224_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
   110 {
   111   int i;
   112   char *r = resbuf;
   113 
   114   for (i = 0; i < 7; i++)
   115     set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
   116 
   117   return resbuf;
   118 }
   119 
   120 /* Process the remaining bytes in the internal buffer and the usual
   121    prolog according to the standard and write the result to RESBUF.  */
   122 static void
   123 sha256_conclude_ctx (struct sha256_ctx *ctx)
   124 {
   125   /* Take yet unprocessed bytes into account.  */
   126   size_t bytes = ctx->buflen;
   127   size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
   128 
   129   /* Now count remaining bytes.  */
   130   ctx->total[0] += bytes;
   131   if (ctx->total[0] < bytes)
   132     ++ctx->total[1];
   133 
   134   /* Put the 64-bit file length in *bits* at the end of the buffer.
   135      Use set_uint32 rather than a simple assignment, to avoid risk of
   136      unaligned access.  */
   137   set_uint32 ((char *) &ctx->buffer[size - 2],
   138               SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29)));
   139   set_uint32 ((char *) &ctx->buffer[size - 1],
   140               SWAP (ctx->total[0] << 3));
   141 
   142   memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
   143 
   144   /* Process last bytes.  */
   145   sha256_process_block (ctx->buffer, size * 4, ctx);
   146 }
   147 
   148 void *
   149 sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
   150 {
   151   sha256_conclude_ctx (ctx);
   152   return sha256_read_ctx (ctx, resbuf);
   153 }
   154 
   155 void *
   156 sha224_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
   157 {
   158   sha256_conclude_ctx (ctx);
   159   return sha224_read_ctx (ctx, resbuf);
   160 }
   161 
   162 /* Compute SHA256 message digest for LEN bytes beginning at BUFFER.  The
   163    result is always in little endian byte order, so that a byte-wise
   164    output yields to the wanted ASCII representation of the message
   165    digest.  */
   166 void *
   167 sha256_buffer (const char *buffer, size_t len, void *resblock)
   168 {
   169   struct sha256_ctx ctx;
   170 
   171   /* Initialize the computation context.  */
   172   sha256_init_ctx (&ctx);
   173 
   174   /* Process whole buffer but last len % 64 bytes.  */
   175   sha256_process_bytes (buffer, len, &ctx);
   176 
   177   /* Put result in desired memory area.  */
   178   return sha256_finish_ctx (&ctx, resblock);
   179 }
   180 
   181 void *
   182 sha224_buffer (const char *buffer, size_t len, void *resblock)
   183 {
   184   struct sha256_ctx ctx;
   185 
   186   /* Initialize the computation context.  */
   187   sha224_init_ctx (&ctx);
   188 
   189   /* Process whole buffer but last len % 64 bytes.  */
   190   sha256_process_bytes (buffer, len, &ctx);
   191 
   192   /* Put result in desired memory area.  */
   193   return sha224_finish_ctx (&ctx, resblock);
   194 }
   195 
   196 void
   197 sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
   198 {
   199   /* When we already have some bits in our internal buffer concatenate
   200      both inputs first.  */
   201   if (ctx->buflen != 0)
   202     {
   203       size_t left_over = ctx->buflen;
   204       size_t add = 128 - left_over > len ? len : 128 - left_over;
   205 
   206       memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
   207       ctx->buflen += add;
   208 
   209       if (ctx->buflen > 64)
   210         {
   211           sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
   212 
   213           ctx->buflen &= 63;
   214           /* The regions in the following copy operation cannot overlap,
   215              because ctx->buflen < 64 ≤ (left_over + add) & ~63.  */
   216           memcpy (ctx->buffer,
   217                   &((char *) ctx->buffer)[(left_over + add) & ~63],
   218                   ctx->buflen);
   219         }
   220 
   221       buffer = (const char *) buffer + add;
   222       len -= add;
   223     }
   224 
   225   /* Process available complete blocks.  */
   226   if (len >= 64)
   227     {
   228 #if !(_STRING_ARCH_unaligned || _STRING_INLINE_unaligned)
   229 # define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (uint32_t) != 0)
   230       if (UNALIGNED_P (buffer))
   231         while (len > 64)
   232           {
   233             sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
   234             buffer = (const char *) buffer + 64;
   235             len -= 64;
   236           }
   237       else
   238 #endif
   239         {
   240           sha256_process_block (buffer, len & ~63, ctx);
   241           buffer = (const char *) buffer + (len & ~63);
   242           len &= 63;
   243         }
   244     }
   245 
   246   /* Move remaining bytes in internal buffer.  */
   247   if (len > 0)
   248     {
   249       size_t left_over = ctx->buflen;
   250 
   251       memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
   252       left_over += len;
   253       if (left_over >= 64)
   254         {
   255           sha256_process_block (ctx->buffer, 64, ctx);
   256           left_over -= 64;
   257           /* The regions in the following copy operation cannot overlap,
   258              because left_over ≤ 64.  */
   259           memcpy (ctx->buffer, &ctx->buffer[16], left_over);
   260         }
   261       ctx->buflen = left_over;
   262     }
   263 }
   264 
   265 /* --- Code below is the primary difference between sha1.c and sha256.c --- */
   266 
   267 /* SHA256 round constants */
   268 #define K(I) sha256_round_constants[I]
   269 static const uint32_t sha256_round_constants[64] = {
   270   0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
   271   0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
   272   0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
   273   0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
   274   0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
   275   0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
   276   0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
   277   0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
   278   0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
   279   0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
   280   0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
   281   0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
   282   0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
   283   0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
   284   0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
   285   0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
   286 };
   287 
   288 /* Round functions.  */
   289 #define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) )
   290 #define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) )
   291 
   292 /* Process LEN bytes of BUFFER, accumulating context into CTX.
   293    It is assumed that LEN % 64 == 0.
   294    Most of this code comes from GnuPG's cipher/sha1.c.  */
   295 
   296 void
   297 sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
   298 {
   299   const uint32_t *words = buffer;
   300   size_t nwords = len / sizeof (uint32_t);
   301   const uint32_t *endp = words + nwords;
   302   uint32_t x[16];
   303   uint32_t a = ctx->state[0];
   304   uint32_t b = ctx->state[1];
   305   uint32_t c = ctx->state[2];
   306   uint32_t d = ctx->state[3];
   307   uint32_t e = ctx->state[4];
   308   uint32_t f = ctx->state[5];
   309   uint32_t g = ctx->state[6];
   310   uint32_t h = ctx->state[7];
   311   uint32_t lolen = len;
   312 
   313   /* First increment the byte count.  FIPS PUB 180-2 specifies the possible
   314      length of the file up to 2^64 bits.  Here we only compute the
   315      number of bytes.  Do a double word increment.  */
   316   ctx->total[0] += lolen;
   317   ctx->total[1] += (len >> 31 >> 1) + (ctx->total[0] < lolen);
   318 
   319 #define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
   320 #define S0(x) (rol(x,25)^rol(x,14)^(x>>3))
   321 #define S1(x) (rol(x,15)^rol(x,13)^(x>>10))
   322 #define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10))
   323 #define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7))
   324 
   325 #define M(I) ( tm =   S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \
   326                     + S0(x[(I-15)&0x0f]) + x[I&0x0f]    \
   327                , x[I&0x0f] = tm )
   328 
   329 #define R(A,B,C,D,E,F,G,H,K,M)  do { t0 = SS0(A) + F2(A,B,C); \
   330                                      t1 = H + SS1(E)  \
   331                                       + F1(E,F,G)     \
   332                                       + K             \
   333                                       + M;            \
   334                                      D += t1;  H = t0 + t1; \
   335                                } while(0)
   336 
   337   while (words < endp)
   338     {
   339       uint32_t tm;
   340       uint32_t t0, t1;
   341       int t;
   342       /* FIXME: see sha1.c for a better implementation.  */
   343       for (t = 0; t < 16; t++)
   344         {
   345           x[t] = SWAP (*words);
   346           words++;
   347         }
   348 
   349       R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
   350       R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
   351       R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
   352       R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
   353       R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
   354       R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
   355       R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
   356       R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
   357       R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
   358       R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
   359       R( g, h, a, b, c, d, e, f, K(10), x[10] );
   360       R( f, g, h, a, b, c, d, e, K(11), x[11] );
   361       R( e, f, g, h, a, b, c, d, K(12), x[12] );
   362       R( d, e, f, g, h, a, b, c, K(13), x[13] );
   363       R( c, d, e, f, g, h, a, b, K(14), x[14] );
   364       R( b, c, d, e, f, g, h, a, K(15), x[15] );
   365       R( a, b, c, d, e, f, g, h, K(16), M(16) );
   366       R( h, a, b, c, d, e, f, g, K(17), M(17) );
   367       R( g, h, a, b, c, d, e, f, K(18), M(18) );
   368       R( f, g, h, a, b, c, d, e, K(19), M(19) );
   369       R( e, f, g, h, a, b, c, d, K(20), M(20) );
   370       R( d, e, f, g, h, a, b, c, K(21), M(21) );
   371       R( c, d, e, f, g, h, a, b, K(22), M(22) );
   372       R( b, c, d, e, f, g, h, a, K(23), M(23) );
   373       R( a, b, c, d, e, f, g, h, K(24), M(24) );
   374       R( h, a, b, c, d, e, f, g, K(25), M(25) );
   375       R( g, h, a, b, c, d, e, f, K(26), M(26) );
   376       R( f, g, h, a, b, c, d, e, K(27), M(27) );
   377       R( e, f, g, h, a, b, c, d, K(28), M(28) );
   378       R( d, e, f, g, h, a, b, c, K(29), M(29) );
   379       R( c, d, e, f, g, h, a, b, K(30), M(30) );
   380       R( b, c, d, e, f, g, h, a, K(31), M(31) );
   381       R( a, b, c, d, e, f, g, h, K(32), M(32) );
   382       R( h, a, b, c, d, e, f, g, K(33), M(33) );
   383       R( g, h, a, b, c, d, e, f, K(34), M(34) );
   384       R( f, g, h, a, b, c, d, e, K(35), M(35) );
   385       R( e, f, g, h, a, b, c, d, K(36), M(36) );
   386       R( d, e, f, g, h, a, b, c, K(37), M(37) );
   387       R( c, d, e, f, g, h, a, b, K(38), M(38) );
   388       R( b, c, d, e, f, g, h, a, K(39), M(39) );
   389       R( a, b, c, d, e, f, g, h, K(40), M(40) );
   390       R( h, a, b, c, d, e, f, g, K(41), M(41) );
   391       R( g, h, a, b, c, d, e, f, K(42), M(42) );
   392       R( f, g, h, a, b, c, d, e, K(43), M(43) );
   393       R( e, f, g, h, a, b, c, d, K(44), M(44) );
   394       R( d, e, f, g, h, a, b, c, K(45), M(45) );
   395       R( c, d, e, f, g, h, a, b, K(46), M(46) );
   396       R( b, c, d, e, f, g, h, a, K(47), M(47) );
   397       R( a, b, c, d, e, f, g, h, K(48), M(48) );
   398       R( h, a, b, c, d, e, f, g, K(49), M(49) );
   399       R( g, h, a, b, c, d, e, f, K(50), M(50) );
   400       R( f, g, h, a, b, c, d, e, K(51), M(51) );
   401       R( e, f, g, h, a, b, c, d, K(52), M(52) );
   402       R( d, e, f, g, h, a, b, c, K(53), M(53) );
   403       R( c, d, e, f, g, h, a, b, K(54), M(54) );
   404       R( b, c, d, e, f, g, h, a, K(55), M(55) );
   405       R( a, b, c, d, e, f, g, h, K(56), M(56) );
   406       R( h, a, b, c, d, e, f, g, K(57), M(57) );
   407       R( g, h, a, b, c, d, e, f, K(58), M(58) );
   408       R( f, g, h, a, b, c, d, e, K(59), M(59) );
   409       R( e, f, g, h, a, b, c, d, K(60), M(60) );
   410       R( d, e, f, g, h, a, b, c, K(61), M(61) );
   411       R( c, d, e, f, g, h, a, b, K(62), M(62) );
   412       R( b, c, d, e, f, g, h, a, K(63), M(63) );
   413 
   414       a = ctx->state[0] += a;
   415       b = ctx->state[1] += b;
   416       c = ctx->state[2] += c;
   417       d = ctx->state[3] += d;
   418       e = ctx->state[4] += e;
   419       f = ctx->state[5] += f;
   420       g = ctx->state[6] += g;
   421       h = ctx->state[7] += h;
   422     }
   423 }
   424 
   425 #endif
   426 
   427 /*
   428  * Hey Emacs!
   429  * Local Variables:
   430  * coding: utf-8
   431  * End:
   432  */
/* [<][>][^][v][top][bottom][index][help] */