1 /* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
3
4 Copyright (C) 2005-2006, 2008-2023 Free Software Foundation, Inc.
5
6 This file is free software: you can redistribute it and/or modify
7 it under the terms of the GNU Lesser General Public License as
8 published by the Free Software Foundation; either version 2.1 of the
9 License, or (at your option) any later version.
10
11 This file is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with this program. If not, see <https://www.gnu.org/licenses/>. */
18
19 /* Written by David Madore, considerably copypasting from
20 Scott G. Miller's sha1.c
21 */
22
23 #include <config.h>
24
25 /* Specification. */
26 #if HAVE_OPENSSL_SHA256
27 # define GL_OPENSSL_INLINE _GL_EXTERN_INLINE
28 #endif
29 #include "sha256.h"
30
31 #include <stdint.h>
32 #include <string.h>
33
34 #include <byteswap.h>
35 #ifdef WORDS_BIGENDIAN
36 # define SWAP(n) (n)
37 #else
38 # define SWAP(n) bswap_32 (n)
39 #endif
40
41 #if ! HAVE_OPENSSL_SHA256
42
43 /* This array contains the bytes used to pad the buffer to the next
44 64-byte boundary. */
45 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
46
47
48 /*
49 Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
50 initializes it to the start constants of the SHA256 algorithm. This
51 must be called before using hash in the call to sha256_hash
52 */
53 void
54 sha256_init_ctx (struct sha256_ctx *ctx)
55 {
56 ctx->state[0] = 0x6a09e667UL;
57 ctx->state[1] = 0xbb67ae85UL;
58 ctx->state[2] = 0x3c6ef372UL;
59 ctx->state[3] = 0xa54ff53aUL;
60 ctx->state[4] = 0x510e527fUL;
61 ctx->state[5] = 0x9b05688cUL;
62 ctx->state[6] = 0x1f83d9abUL;
63 ctx->state[7] = 0x5be0cd19UL;
64
65 ctx->total[0] = ctx->total[1] = 0;
66 ctx->buflen = 0;
67 }
68
69 void
70 sha224_init_ctx (struct sha256_ctx *ctx)
71 {
72 ctx->state[0] = 0xc1059ed8UL;
73 ctx->state[1] = 0x367cd507UL;
74 ctx->state[2] = 0x3070dd17UL;
75 ctx->state[3] = 0xf70e5939UL;
76 ctx->state[4] = 0xffc00b31UL;
77 ctx->state[5] = 0x68581511UL;
78 ctx->state[6] = 0x64f98fa7UL;
79 ctx->state[7] = 0xbefa4fa4UL;
80
81 ctx->total[0] = ctx->total[1] = 0;
82 ctx->buflen = 0;
83 }
84
85 /* Copy the value from v into the memory location pointed to by *CP,
86 If your architecture allows unaligned access, this is equivalent to
87 * (__typeof__ (v) *) cp = v */
88 static void
89 set_uint32 (char *cp, uint32_t v)
90 {
91 memcpy (cp, &v, sizeof v);
92 }
93
94 /* Put result from CTX in first 32 bytes following RESBUF.
95 The result must be in little endian byte order. */
96 void *
97 sha256_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
98 {
99 int i;
100 char *r = resbuf;
101
102 for (i = 0; i < 8; i++)
103 set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
104
105 return resbuf;
106 }
107
108 void *
109 sha224_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
110 {
111 int i;
112 char *r = resbuf;
113
114 for (i = 0; i < 7; i++)
115 set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
116
117 return resbuf;
118 }
119
120 /* Process the remaining bytes in the internal buffer and the usual
121 prolog according to the standard and write the result to RESBUF. */
122 static void
123 sha256_conclude_ctx (struct sha256_ctx *ctx)
124 {
125 /* Take yet unprocessed bytes into account. */
126 size_t bytes = ctx->buflen;
127 size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
128
129 /* Now count remaining bytes. */
130 ctx->total[0] += bytes;
131 if (ctx->total[0] < bytes)
132 ++ctx->total[1];
133
134 /* Put the 64-bit file length in *bits* at the end of the buffer.
135 Use set_uint32 rather than a simple assignment, to avoid risk of
136 unaligned access. */
137 set_uint32 ((char *) &ctx->buffer[size - 2],
138 SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29)));
139 set_uint32 ((char *) &ctx->buffer[size - 1],
140 SWAP (ctx->total[0] << 3));
141
142 memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
143
144 /* Process last bytes. */
145 sha256_process_block (ctx->buffer, size * 4, ctx);
146 }
147
148 void *
149 sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
150 {
151 sha256_conclude_ctx (ctx);
152 return sha256_read_ctx (ctx, resbuf);
153 }
154
155 void *
156 sha224_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
157 {
158 sha256_conclude_ctx (ctx);
159 return sha224_read_ctx (ctx, resbuf);
160 }
161
162 /* Compute SHA256 message digest for LEN bytes beginning at BUFFER. The
163 result is always in little endian byte order, so that a byte-wise
164 output yields to the wanted ASCII representation of the message
165 digest. */
166 void *
167 sha256_buffer (const char *buffer, size_t len, void *resblock)
168 {
169 struct sha256_ctx ctx;
170
171 /* Initialize the computation context. */
172 sha256_init_ctx (&ctx);
173
174 /* Process whole buffer but last len % 64 bytes. */
175 sha256_process_bytes (buffer, len, &ctx);
176
177 /* Put result in desired memory area. */
178 return sha256_finish_ctx (&ctx, resblock);
179 }
180
181 void *
182 sha224_buffer (const char *buffer, size_t len, void *resblock)
183 {
184 struct sha256_ctx ctx;
185
186 /* Initialize the computation context. */
187 sha224_init_ctx (&ctx);
188
189 /* Process whole buffer but last len % 64 bytes. */
190 sha256_process_bytes (buffer, len, &ctx);
191
192 /* Put result in desired memory area. */
193 return sha224_finish_ctx (&ctx, resblock);
194 }
195
196 void
197 sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
198 {
199 /* When we already have some bits in our internal buffer concatenate
200 both inputs first. */
201 if (ctx->buflen != 0)
202 {
203 size_t left_over = ctx->buflen;
204 size_t add = 128 - left_over > len ? len : 128 - left_over;
205
206 memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
207 ctx->buflen += add;
208
209 if (ctx->buflen > 64)
210 {
211 sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
212
213 ctx->buflen &= 63;
214 /* The regions in the following copy operation cannot overlap,
215 because ctx->buflen < 64 ≤ (left_over + add) & ~63. */
216 memcpy (ctx->buffer,
217 &((char *) ctx->buffer)[(left_over + add) & ~63],
218 ctx->buflen);
219 }
220
221 buffer = (const char *) buffer + add;
222 len -= add;
223 }
224
225 /* Process available complete blocks. */
226 if (len >= 64)
227 {
228 #if !(_STRING_ARCH_unaligned || _STRING_INLINE_unaligned)
229 # define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (uint32_t) != 0)
230 if (UNALIGNED_P (buffer))
231 while (len > 64)
232 {
233 sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
234 buffer = (const char *) buffer + 64;
235 len -= 64;
236 }
237 else
238 #endif
239 {
240 sha256_process_block (buffer, len & ~63, ctx);
241 buffer = (const char *) buffer + (len & ~63);
242 len &= 63;
243 }
244 }
245
246 /* Move remaining bytes in internal buffer. */
247 if (len > 0)
248 {
249 size_t left_over = ctx->buflen;
250
251 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
252 left_over += len;
253 if (left_over >= 64)
254 {
255 sha256_process_block (ctx->buffer, 64, ctx);
256 left_over -= 64;
257 /* The regions in the following copy operation cannot overlap,
258 because left_over ≤ 64. */
259 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
260 }
261 ctx->buflen = left_over;
262 }
263 }
264
265 /* --- Code below is the primary difference between sha1.c and sha256.c --- */
266
267 /* SHA256 round constants */
268 #define K(I) sha256_round_constants[I]
269 static const uint32_t sha256_round_constants[64] = {
270 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
271 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
272 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
273 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
274 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
275 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
276 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
277 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
278 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
279 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
280 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
281 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
282 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
283 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
284 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
285 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
286 };
287
288 /* Round functions. */
289 #define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) )
290 #define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) )
291
292 /* Process LEN bytes of BUFFER, accumulating context into CTX.
293 It is assumed that LEN % 64 == 0.
294 Most of this code comes from GnuPG's cipher/sha1.c. */
295
296 void
297 sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
298 {
299 const uint32_t *words = buffer;
300 size_t nwords = len / sizeof (uint32_t);
301 const uint32_t *endp = words + nwords;
302 uint32_t x[16];
303 uint32_t a = ctx->state[0];
304 uint32_t b = ctx->state[1];
305 uint32_t c = ctx->state[2];
306 uint32_t d = ctx->state[3];
307 uint32_t e = ctx->state[4];
308 uint32_t f = ctx->state[5];
309 uint32_t g = ctx->state[6];
310 uint32_t h = ctx->state[7];
311 uint32_t lolen = len;
312
313 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
314 length of the file up to 2^64 bits. Here we only compute the
315 number of bytes. Do a double word increment. */
316 ctx->total[0] += lolen;
317 ctx->total[1] += (len >> 31 >> 1) + (ctx->total[0] < lolen);
318
319 #define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
320 #define S0(x) (rol(x,25)^rol(x,14)^(x>>3))
321 #define S1(x) (rol(x,15)^rol(x,13)^(x>>10))
322 #define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10))
323 #define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7))
324
325 #define M(I) ( tm = S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \
326 + S0(x[(I-15)&0x0f]) + x[I&0x0f] \
327 , x[I&0x0f] = tm )
328
329 #define R(A,B,C,D,E,F,G,H,K,M) do { t0 = SS0(A) + F2(A,B,C); \
330 t1 = H + SS1(E) \
331 + F1(E,F,G) \
332 + K \
333 + M; \
334 D += t1; H = t0 + t1; \
335 } while(0)
336
337 while (words < endp)
338 {
339 uint32_t tm;
340 uint32_t t0, t1;
341 int t;
342 /* FIXME: see sha1.c for a better implementation. */
343 for (t = 0; t < 16; t++)
344 {
345 x[t] = SWAP (*words);
346 words++;
347 }
348
349 R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
350 R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
351 R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
352 R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
353 R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
354 R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
355 R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
356 R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
357 R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
358 R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
359 R( g, h, a, b, c, d, e, f, K(10), x[10] );
360 R( f, g, h, a, b, c, d, e, K(11), x[11] );
361 R( e, f, g, h, a, b, c, d, K(12), x[12] );
362 R( d, e, f, g, h, a, b, c, K(13), x[13] );
363 R( c, d, e, f, g, h, a, b, K(14), x[14] );
364 R( b, c, d, e, f, g, h, a, K(15), x[15] );
365 R( a, b, c, d, e, f, g, h, K(16), M(16) );
366 R( h, a, b, c, d, e, f, g, K(17), M(17) );
367 R( g, h, a, b, c, d, e, f, K(18), M(18) );
368 R( f, g, h, a, b, c, d, e, K(19), M(19) );
369 R( e, f, g, h, a, b, c, d, K(20), M(20) );
370 R( d, e, f, g, h, a, b, c, K(21), M(21) );
371 R( c, d, e, f, g, h, a, b, K(22), M(22) );
372 R( b, c, d, e, f, g, h, a, K(23), M(23) );
373 R( a, b, c, d, e, f, g, h, K(24), M(24) );
374 R( h, a, b, c, d, e, f, g, K(25), M(25) );
375 R( g, h, a, b, c, d, e, f, K(26), M(26) );
376 R( f, g, h, a, b, c, d, e, K(27), M(27) );
377 R( e, f, g, h, a, b, c, d, K(28), M(28) );
378 R( d, e, f, g, h, a, b, c, K(29), M(29) );
379 R( c, d, e, f, g, h, a, b, K(30), M(30) );
380 R( b, c, d, e, f, g, h, a, K(31), M(31) );
381 R( a, b, c, d, e, f, g, h, K(32), M(32) );
382 R( h, a, b, c, d, e, f, g, K(33), M(33) );
383 R( g, h, a, b, c, d, e, f, K(34), M(34) );
384 R( f, g, h, a, b, c, d, e, K(35), M(35) );
385 R( e, f, g, h, a, b, c, d, K(36), M(36) );
386 R( d, e, f, g, h, a, b, c, K(37), M(37) );
387 R( c, d, e, f, g, h, a, b, K(38), M(38) );
388 R( b, c, d, e, f, g, h, a, K(39), M(39) );
389 R( a, b, c, d, e, f, g, h, K(40), M(40) );
390 R( h, a, b, c, d, e, f, g, K(41), M(41) );
391 R( g, h, a, b, c, d, e, f, K(42), M(42) );
392 R( f, g, h, a, b, c, d, e, K(43), M(43) );
393 R( e, f, g, h, a, b, c, d, K(44), M(44) );
394 R( d, e, f, g, h, a, b, c, K(45), M(45) );
395 R( c, d, e, f, g, h, a, b, K(46), M(46) );
396 R( b, c, d, e, f, g, h, a, K(47), M(47) );
397 R( a, b, c, d, e, f, g, h, K(48), M(48) );
398 R( h, a, b, c, d, e, f, g, K(49), M(49) );
399 R( g, h, a, b, c, d, e, f, K(50), M(50) );
400 R( f, g, h, a, b, c, d, e, K(51), M(51) );
401 R( e, f, g, h, a, b, c, d, K(52), M(52) );
402 R( d, e, f, g, h, a, b, c, K(53), M(53) );
403 R( c, d, e, f, g, h, a, b, K(54), M(54) );
404 R( b, c, d, e, f, g, h, a, K(55), M(55) );
405 R( a, b, c, d, e, f, g, h, K(56), M(56) );
406 R( h, a, b, c, d, e, f, g, K(57), M(57) );
407 R( g, h, a, b, c, d, e, f, K(58), M(58) );
408 R( f, g, h, a, b, c, d, e, K(59), M(59) );
409 R( e, f, g, h, a, b, c, d, K(60), M(60) );
410 R( d, e, f, g, h, a, b, c, K(61), M(61) );
411 R( c, d, e, f, g, h, a, b, K(62), M(62) );
412 R( b, c, d, e, f, g, h, a, K(63), M(63) );
413
414 a = ctx->state[0] += a;
415 b = ctx->state[1] += b;
416 c = ctx->state[2] += c;
417 d = ctx->state[3] += d;
418 e = ctx->state[4] += e;
419 f = ctx->state[5] += f;
420 g = ctx->state[6] += g;
421 h = ctx->state[7] += h;
422 }
423 }
424
425 #endif
426
427 /*
428 * Hey Emacs!
429 * Local Variables:
430 * coding: utf-8
431 * End:
432 */