1 /* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or 2 memory blocks according to the NIST specification FIPS-180-2. 3 4 Copyright (C) 2005, 2006 Free Software Foundation, Inc. 5 6 This program is free software; you can redistribute it and/or modify it 7 under the terms of the GNU General Public License as published by the 8 Free Software Foundation; either version 2, or (at your option) any 9 later version. 10 11 This program is distributed in the hope that it will be useful, 12 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 GNU General Public License for more details. 15 16 You should have received a copy of the GNU General Public License 17 along with this program; if not, write to the Free Software Foundation, 18 Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ 19 20 /* Written by David Madore, considerably copypasting from 21 Scott G. Miller's sha1.c 22 */ 23 24 #include "sha256.h" 25 26 #include <stddef.h> 27 #include <string.h> 28 29 #if USE_UNLOCKED_IO 30 #include "unlocked-io.h" 31 #endif 32 33 #ifdef WORDS_BIGENDIAN 34 #define SWAP(n) (n) 35 #else 36 #define SWAP(n) \ 37 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24)) 38 #endif 39 40 #define BLOCKSIZE 4096 41 #if BLOCKSIZE % 64 != 0 42 #error "invalid BLOCKSIZE" 43 #endif 44 45 /* This array contains the bytes used to pad the buffer to the next 46 64-byte boundary. */ 47 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ }; 48 49 /* 50 Takes a pointer to a 256 bit block of data (eight 32 bit ints) and 51 intializes it to the start constants of the SHA256 algorithm. This 52 must be called before using hash in the call to sha256_hash 53 */ 54 void sha256_init_ctx(struct sha256_ctx *ctx) 55 { 56 ctx->state[0] = 0x6a09e667UL; 57 ctx->state[1] = 0xbb67ae85UL; 58 ctx->state[2] = 0x3c6ef372UL; 59 ctx->state[3] = 0xa54ff53aUL; 60 ctx->state[4] = 0x510e527fUL; 61 ctx->state[5] = 0x9b05688cUL; 62 ctx->state[6] = 0x1f83d9abUL; 63 ctx->state[7] = 0x5be0cd19UL; 64 65 ctx->total[0] = ctx->total[1] = 0; 66 ctx->buflen = 0; 67 } 68 69 void sha224_init_ctx(struct sha256_ctx *ctx) 70 { 71 ctx->state[0] = 0xc1059ed8UL; 72 ctx->state[1] = 0x367cd507UL; 73 ctx->state[2] = 0x3070dd17UL; 74 ctx->state[3] = 0xf70e5939UL; 75 ctx->state[4] = 0xffc00b31UL; 76 ctx->state[5] = 0x68581511UL; 77 ctx->state[6] = 0x64f98fa7UL; 78 ctx->state[7] = 0xbefa4fa4UL; 79 80 ctx->total[0] = ctx->total[1] = 0; 81 ctx->buflen = 0; 82 } 83 84 /* Put result from CTX in first 32 bytes following RESBUF. The result 85 must be in little endian byte order. 86 87 IMPORTANT: On some systems it is required that RESBUF is correctly 88 aligned for a 32-bit value. */ 89 void *sha256_read_ctx(const struct sha256_ctx *ctx, void *resbuf) 90 { 91 int i; 92 93 for (i = 0; i < 8; i++) 94 ((uint32_t *) resbuf)[i] = SWAP(ctx->state[i]); 95 96 return resbuf; 97 } 98 99 void *sha224_read_ctx(const struct sha256_ctx *ctx, void *resbuf) 100 { 101 int i; 102 103 for (i = 0; i < 7; i++) 104 ((uint32_t *) resbuf)[i] = SWAP(ctx->state[i]); 105 106 return resbuf; 107 } 108 109 /* Process the remaining bytes in the internal buffer and the usual 110 prolog according to the standard and write the result to RESBUF. 111 112 IMPORTANT: On some systems it is required that RESBUF is correctly 113 aligned for a 32-bit value. */ 114 static void sha256_conclude_ctx(struct sha256_ctx *ctx) 115 { 116 /* Take yet unprocessed bytes into account. */ 117 uint32_t bytes = ctx->buflen; 118 size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4; 119 120 /* Now count remaining bytes. */ 121 ctx->total[0] += bytes; 122 if (ctx->total[0] < bytes) 123 ++ctx->total[1]; 124 125 /* Put the 64-bit file length in *bits* at the end of the buffer. */ 126 ctx->buffer[size - 2] = 127 SWAP((ctx->total[1] << 3) | (ctx->total[0] >> 29)); 128 ctx->buffer[size - 1] = SWAP(ctx->total[0] << 3); 129 130 memcpy(&((char *)ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes); 131 132 /* Process last bytes. */ 133 sha256_process_block(ctx->buffer, size * 4, ctx); 134 } 135 136 void *sha256_finish_ctx(struct sha256_ctx *ctx, void *resbuf) 137 { 138 sha256_conclude_ctx(ctx); 139 return sha256_read_ctx(ctx, resbuf); 140 } 141 142 void *sha224_finish_ctx(struct sha256_ctx *ctx, void *resbuf) 143 { 144 sha256_conclude_ctx(ctx); 145 return sha224_read_ctx(ctx, resbuf); 146 } 147 148 /* Compute SHA256 message digest for bytes read from STREAM. The 149 resulting message digest number will be written into the 32 bytes 150 beginning at RESBLOCK. */ 151 int sha256_stream(FILE * stream, void *resblock) 152 { 153 struct sha256_ctx ctx; 154 char buffer[BLOCKSIZE + 72]; 155 size_t sum; 156 157 /* Initialize the computation context. */ 158 sha256_init_ctx(&ctx); 159 160 /* Iterate over full file contents. */ 161 while (1) { 162 /* We read the file in blocks of BLOCKSIZE bytes. One call of the 163 computation function processes the whole buffer so that with the 164 next round of the loop another block can be read. */ 165 size_t n; 166 sum = 0; 167 168 /* Read block. Take care for partial reads. */ 169 while (1) { 170 n = fread(buffer + sum, 1, BLOCKSIZE - sum, stream); 171 172 sum += n; 173 174 if (sum == BLOCKSIZE) 175 break; 176 177 if (n == 0) { 178 /* Check for the error flag IFF N == 0, so that we don't 179 exit the loop after a partial read due to e.g., EAGAIN 180 or EWOULDBLOCK. */ 181 if (ferror(stream)) 182 return 1; 183 goto process_partial_block; 184 } 185 186 /* We've read at least one byte, so ignore errors. But always 187 check for EOF, since feof may be true even though N > 0. 188 Otherwise, we could end up calling fread after EOF. */ 189 if (feof(stream)) 190 goto process_partial_block; 191 } 192 193 /* Process buffer with BLOCKSIZE bytes. Note that 194 BLOCKSIZE % 64 == 0 195 */ 196 sha256_process_block(buffer, BLOCKSIZE, &ctx); 197 } 198 199 process_partial_block:; 200 201 /* Process any remaining bytes. */ 202 if (sum > 0) 203 sha256_process_bytes(buffer, sum, &ctx); 204 205 /* Construct result in desired memory. */ 206 sha256_finish_ctx(&ctx, resblock); 207 return 0; 208 } 209 210 /* FIXME: Avoid code duplication */ 211 int sha224_stream(FILE * stream, void *resblock) 212 { 213 struct sha256_ctx ctx; 214 char buffer[BLOCKSIZE + 72]; 215 size_t sum; 216 217 /* Initialize the computation context. */ 218 sha224_init_ctx(&ctx); 219 220 /* Iterate over full file contents. */ 221 while (1) { 222 /* We read the file in blocks of BLOCKSIZE bytes. One call of the 223 computation function processes the whole buffer so that with the 224 next round of the loop another block can be read. */ 225 size_t n; 226 sum = 0; 227 228 /* Read block. Take care for partial reads. */ 229 while (1) { 230 n = fread(buffer + sum, 1, BLOCKSIZE - sum, stream); 231 232 sum += n; 233 234 if (sum == BLOCKSIZE) 235 break; 236 237 if (n == 0) { 238 /* Check for the error flag IFF N == 0, so that we don't 239 exit the loop after a partial read due to e.g., EAGAIN 240 or EWOULDBLOCK. */ 241 if (ferror(stream)) 242 return 1; 243 goto process_partial_block; 244 } 245 246 /* We've read at least one byte, so ignore errors. But always 247 check for EOF, since feof may be true even though N > 0. 248 Otherwise, we could end up calling fread after EOF. */ 249 if (feof(stream)) 250 goto process_partial_block; 251 } 252 253 /* Process buffer with BLOCKSIZE bytes. Note that 254 BLOCKSIZE % 64 == 0 255 */ 256 sha256_process_block(buffer, BLOCKSIZE, &ctx); 257 } 258 259 process_partial_block:; 260 261 /* Process any remaining bytes. */ 262 if (sum > 0) 263 sha256_process_bytes(buffer, sum, &ctx); 264 265 /* Construct result in desired memory. */ 266 sha224_finish_ctx(&ctx, resblock); 267 return 0; 268 } 269 270 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The 271 result is always in little endian byte order, so that a byte-wise 272 output yields to the wanted ASCII representation of the message 273 digest. */ 274 void *sha256_buffer(const char *buffer, size_t len, void *resblock) 275 { 276 struct sha256_ctx ctx; 277 278 /* Initialize the computation context. */ 279 sha256_init_ctx(&ctx); 280 281 /* Process whole buffer but last len % 64 bytes. */ 282 sha256_process_bytes(buffer, len, &ctx); 283 284 /* Put result in desired memory area. */ 285 return sha256_finish_ctx(&ctx, resblock); 286 } 287 288 void *sha224_buffer(const char *buffer, size_t len, void *resblock) 289 { 290 struct sha256_ctx ctx; 291 292 /* Initialize the computation context. */ 293 sha224_init_ctx(&ctx); 294 295 /* Process whole buffer but last len % 64 bytes. */ 296 sha256_process_bytes(buffer, len, &ctx); 297 298 /* Put result in desired memory area. */ 299 return sha224_finish_ctx(&ctx, resblock); 300 } 301 302 void 303 sha256_process_bytes(const void *buffer, size_t len, struct sha256_ctx *ctx) 304 { 305 /* When we already have some bits in our internal buffer concatenate 306 both inputs first. */ 307 if (ctx->buflen != 0) { 308 size_t left_over = ctx->buflen; 309 size_t add = 128 - left_over > len ? len : 128 - left_over; 310 311 memcpy(&((char *)ctx->buffer)[left_over], buffer, add); 312 ctx->buflen += add; 313 314 if (ctx->buflen > 64) { 315 sha256_process_block(ctx->buffer, ctx->buflen & ~63, 316 ctx); 317 318 ctx->buflen &= 63; 319 /* The regions in the following copy operation cannot overlap. */ 320 memcpy(ctx->buffer, 321 &((char *)ctx->buffer)[(left_over + add) & ~63], 322 ctx->buflen); 323 } 324 325 buffer = (const char *)buffer + add; 326 len -= add; 327 } 328 329 /* Process available complete blocks. */ 330 if (len >= 64) { 331 #if !_STRING_ARCH_unaligned 332 #define alignof(type) offsetof (struct { char c; type x; }, x) 333 #define UNALIGNED_P(p) (((size_t) p) % alignof (uint32_t) != 0) 334 if (UNALIGNED_P(buffer)) 335 while (len > 64) { 336 sha256_process_block(memcpy 337 (ctx->buffer, buffer, 64), 338 64, ctx); 339 buffer = (const char *)buffer + 64; 340 len -= 64; 341 } else 342 #endif 343 { 344 sha256_process_block(buffer, len & ~63, ctx); 345 buffer = (const char *)buffer + (len & ~63); 346 len &= 63; 347 } 348 } 349 350 /* Move remaining bytes in internal buffer. */ 351 if (len > 0) { 352 size_t left_over = ctx->buflen; 353 354 memcpy(&((char *)ctx->buffer)[left_over], buffer, len); 355 left_over += len; 356 if (left_over >= 64) { 357 sha256_process_block(ctx->buffer, 64, ctx); 358 left_over -= 64; 359 memcpy(ctx->buffer, &ctx->buffer[16], left_over); 360 } 361 ctx->buflen = left_over; 362 } 363 } 364 365 /* --- Code below is the primary difference between sha1.c and sha256.c --- */ 366 367 /* SHA256 round constants */ 368 #define K(I) sha256_round_constants[I] 369 static const uint32_t sha256_round_constants[64] = { 370 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 371 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 372 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 373 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 374 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 375 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 376 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 377 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 378 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 379 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 380 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 381 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 382 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 383 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 384 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 385 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL, 386 }; 387 388 /* Round functions. */ 389 #define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) ) 390 #define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) ) 391 392 /* Process LEN bytes of BUFFER, accumulating context into CTX. 393 It is assumed that LEN % 64 == 0. 394 Most of this code comes from GnuPG's cipher/sha1.c. */ 395 396 void 397 sha256_process_block(const void *buffer, size_t len, struct sha256_ctx *ctx) 398 { 399 const uint32_t *words = buffer; 400 size_t nwords = len / sizeof(uint32_t); 401 const uint32_t *endp = words + nwords; 402 uint32_t x[16]; 403 uint32_t a = ctx->state[0]; 404 uint32_t b = ctx->state[1]; 405 uint32_t c = ctx->state[2]; 406 uint32_t d = ctx->state[3]; 407 uint32_t e = ctx->state[4]; 408 uint32_t f = ctx->state[5]; 409 uint32_t g = ctx->state[6]; 410 uint32_t h = ctx->state[7]; 411 412 /* First increment the byte count. FIPS PUB 180-2 specifies the possible 413 length of the file up to 2^64 bits. Here we only compute the 414 number of bytes. Do a double word increment. */ 415 ctx->total[0] += len; 416 if (ctx->total[0] < len) 417 ++ctx->total[1]; 418 419 #define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n)))) 420 #define S0(x) (rol(x,25)^rol(x,14)^(x>>3)) 421 #define S1(x) (rol(x,15)^rol(x,13)^(x>>10)) 422 #define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10)) 423 #define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7)) 424 425 #define M(I) ( tm = S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \ 426 + S0(x[(I-15)&0x0f]) + x[I&0x0f] \ 427 , x[I&0x0f] = tm ) 428 429 #define R(A,B,C,D,E,F,G,H,K,M) do { t0 = SS0(A) + F2(A,B,C); \ 430 t1 = H + SS1(E) \ 431 + F1(E,F,G) \ 432 + K \ 433 + M; \ 434 D += t1; H = t0 + t1; \ 435 } while(0) 436 437 while (words < endp) { 438 uint32_t tm; 439 uint32_t t0, t1; 440 int t; 441 /* FIXME: see sha1.c for a better implementation. */ 442 for (t = 0; t < 16; t++) { 443 x[t] = SWAP(*words); 444 words++; 445 } 446 447 R(a, b, c, d, e, f, g, h, K(0), x[0]); 448 R(h, a, b, c, d, e, f, g, K(1), x[1]); 449 R(g, h, a, b, c, d, e, f, K(2), x[2]); 450 R(f, g, h, a, b, c, d, e, K(3), x[3]); 451 R(e, f, g, h, a, b, c, d, K(4), x[4]); 452 R(d, e, f, g, h, a, b, c, K(5), x[5]); 453 R(c, d, e, f, g, h, a, b, K(6), x[6]); 454 R(b, c, d, e, f, g, h, a, K(7), x[7]); 455 R(a, b, c, d, e, f, g, h, K(8), x[8]); 456 R(h, a, b, c, d, e, f, g, K(9), x[9]); 457 R(g, h, a, b, c, d, e, f, K(10), x[10]); 458 R(f, g, h, a, b, c, d, e, K(11), x[11]); 459 R(e, f, g, h, a, b, c, d, K(12), x[12]); 460 R(d, e, f, g, h, a, b, c, K(13), x[13]); 461 R(c, d, e, f, g, h, a, b, K(14), x[14]); 462 R(b, c, d, e, f, g, h, a, K(15), x[15]); 463 R(a, b, c, d, e, f, g, h, K(16), M(16)); 464 R(h, a, b, c, d, e, f, g, K(17), M(17)); 465 R(g, h, a, b, c, d, e, f, K(18), M(18)); 466 R(f, g, h, a, b, c, d, e, K(19), M(19)); 467 R(e, f, g, h, a, b, c, d, K(20), M(20)); 468 R(d, e, f, g, h, a, b, c, K(21), M(21)); 469 R(c, d, e, f, g, h, a, b, K(22), M(22)); 470 R(b, c, d, e, f, g, h, a, K(23), M(23)); 471 R(a, b, c, d, e, f, g, h, K(24), M(24)); 472 R(h, a, b, c, d, e, f, g, K(25), M(25)); 473 R(g, h, a, b, c, d, e, f, K(26), M(26)); 474 R(f, g, h, a, b, c, d, e, K(27), M(27)); 475 R(e, f, g, h, a, b, c, d, K(28), M(28)); 476 R(d, e, f, g, h, a, b, c, K(29), M(29)); 477 R(c, d, e, f, g, h, a, b, K(30), M(30)); 478 R(b, c, d, e, f, g, h, a, K(31), M(31)); 479 R(a, b, c, d, e, f, g, h, K(32), M(32)); 480 R(h, a, b, c, d, e, f, g, K(33), M(33)); 481 R(g, h, a, b, c, d, e, f, K(34), M(34)); 482 R(f, g, h, a, b, c, d, e, K(35), M(35)); 483 R(e, f, g, h, a, b, c, d, K(36), M(36)); 484 R(d, e, f, g, h, a, b, c, K(37), M(37)); 485 R(c, d, e, f, g, h, a, b, K(38), M(38)); 486 R(b, c, d, e, f, g, h, a, K(39), M(39)); 487 R(a, b, c, d, e, f, g, h, K(40), M(40)); 488 R(h, a, b, c, d, e, f, g, K(41), M(41)); 489 R(g, h, a, b, c, d, e, f, K(42), M(42)); 490 R(f, g, h, a, b, c, d, e, K(43), M(43)); 491 R(e, f, g, h, a, b, c, d, K(44), M(44)); 492 R(d, e, f, g, h, a, b, c, K(45), M(45)); 493 R(c, d, e, f, g, h, a, b, K(46), M(46)); 494 R(b, c, d, e, f, g, h, a, K(47), M(47)); 495 R(a, b, c, d, e, f, g, h, K(48), M(48)); 496 R(h, a, b, c, d, e, f, g, K(49), M(49)); 497 R(g, h, a, b, c, d, e, f, K(50), M(50)); 498 R(f, g, h, a, b, c, d, e, K(51), M(51)); 499 R(e, f, g, h, a, b, c, d, K(52), M(52)); 500 R(d, e, f, g, h, a, b, c, K(53), M(53)); 501 R(c, d, e, f, g, h, a, b, K(54), M(54)); 502 R(b, c, d, e, f, g, h, a, K(55), M(55)); 503 R(a, b, c, d, e, f, g, h, K(56), M(56)); 504 R(h, a, b, c, d, e, f, g, K(57), M(57)); 505 R(g, h, a, b, c, d, e, f, K(58), M(58)); 506 R(f, g, h, a, b, c, d, e, K(59), M(59)); 507 R(e, f, g, h, a, b, c, d, K(60), M(60)); 508 R(d, e, f, g, h, a, b, c, K(61), M(61)); 509 R(c, d, e, f, g, h, a, b, K(62), M(62)); 510 R(b, c, d, e, f, g, h, a, K(63), M(63)); 511 512 a = ctx->state[0] += a; 513 b = ctx->state[1] += b; 514 c = ctx->state[2] += c; 515 d = ctx->state[3] += d; 516 e = ctx->state[4] += e; 517 f = ctx->state[5] += f; 518 g = ctx->state[6] += g; 519 h = ctx->state[7] += h; 520 } 521 } 522
This page was automatically generated by LXR 0.3.1. • OpenWrt