sha256.c
1/* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
3
4 Copyright (C) 2005-2006, 2008-2022 Free Software Foundation, Inc.
5
6 This file is free software: you can redistribute it and/or modify
7 it under the terms of the GNU Lesser General Public License as
8 published by the Free Software Foundation; either version 2.1 of the
9 License, or (at your option) any later version.
10
11 This file is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with this program. If not, see <https://www.gnu.org/licenses/>. */
18
19/* Written by David Madore, considerably copypasting from
20 Scott G. Miller's sha1.c
21
22 Minor changes by Chris Noxz
23*/
24
25/* Specification. */
26#include "sha256.h"
27
28#include <stdalign.h>
29#include <stdint.h>
30#include <string.h>
31
32#include <byteswap.h>
33#ifdef WORDS_BIGENDIAN
34# define SWAP(n) (n)
35#else
36# define SWAP(n) bswap_32 (n)
37#endif
38
39/* This array contains the bytes used to pad the buffer to the next
40 * 64-byte boundary. */
41static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
42
43/*
44 * Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
45 * initializes it to the start constants of the SHA256 algorithm. This
46 * must be called before using hash in the call to sha256_hash
47*/
48void
49SHA256_init (struct SHA256_ctx *ctx)
50{
51 ctx->state[0] = 0x6a09e667UL;
52 ctx->state[1] = 0xbb67ae85UL;
53 ctx->state[2] = 0x3c6ef372UL;
54 ctx->state[3] = 0xa54ff53aUL;
55 ctx->state[4] = 0x510e527fUL;
56 ctx->state[5] = 0x9b05688cUL;
57 ctx->state[6] = 0x1f83d9abUL;
58 ctx->state[7] = 0x5be0cd19UL;
59
60 ctx->total[0] = ctx->total[1] = 0;
61 ctx->buflen = 0;
62}
63
64/* Copy the value from v into the memory location pointed to by *CP,
65 * If your architecture allows unaligned access, this is equivalent to
66 * (__typeof__ (v) *) cp = v */
67static void
68set_uint32 (char *cp, uint32_t v)
69{
70 memcpy (cp, &v, sizeof v);
71}
72
73/* Put result from CTX in first 32 bytes following RESBUF.
74 * The result must be in little endian byte order. */
75void *
76SHA256_read_ctx (const struct SHA256_ctx *ctx, void *resbuf)
77{
78 int i;
79 char *r = resbuf;
80
81 for (i = 0; i < 8; i++)
82 set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
83
84 return resbuf;
85}
86
87/* Process the remaining bytes in the internal buffer and the usual
88 * prolog according to the standard and write the result to RESBUF. */
89static void
90SHA256_conclude_ctx (struct SHA256_ctx *ctx)
91{
92 /* Take yet unprocessed bytes into account */
93 size_t bytes = ctx->buflen;
94 size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
95
96 /* Now count remaining bytes. */
97 ctx->total[0] += bytes;
98 if (ctx->total[0] < bytes)
99 ++ctx->total[1];
100
101 /* Put the 64-bit file length in *bits* at the end of the buffer.
102 * Use set_uint32 rather than a simple assignment, to avoid risk of
103 * unaligned access. */
104 set_uint32 ((char *) &ctx->buffer[size - 2], SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29)));
105 set_uint32 ((char *) &ctx->buffer[size - 1], SWAP (ctx->total[0] << 3));
106
107 memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
108
109 /* Process last bytes. */
110 SHA256_process_block (ctx->buffer, size * 4, ctx);
111}
112
113void *
114SHA256_final (struct SHA256_ctx *ctx, void *resbuf)
115{
116 SHA256_conclude_ctx (ctx);
117 return SHA256_read_ctx (ctx, resbuf);
118}
119
120void
121SHA256_update (const void *buffer, size_t len, struct SHA256_ctx *ctx)
122{
123 /* When we already have some bits in our internal buffer concatenate
124 * both inputs first. */
125 if (ctx->buflen != 0)
126 {
127 size_t left_over = ctx->buflen;
128 size_t add = 128 - left_over > len ? len : 128 - left_over;
129
130 memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
131 ctx->buflen += add;
132
133 if (ctx->buflen > 64)
134 {
135 SHA256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
136
137 ctx->buflen &= 63;
138 /* The regions in the following copy operation cannot overlap,
139 * because ctx->buflen < 64 ≤ (left_over + add) & ~63. */
140 memcpy (ctx->buffer, &((char *) ctx->buffer)[(left_over + add) & ~63], ctx->buflen);
141 }
142
143 buffer = (const char *) buffer + add;
144 len -= add;
145 }
146
147 /* Process available complete blocks. */
148 if (len >= 64)
149 {
150#if !(_STRING_ARCH_unaligned || _STRING_INLINE_unaligned)
151# define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (uint32_t) != 0)
152 if (UNALIGNED_P (buffer))
153 while (len > 64)
154 {
155 SHA256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
156 buffer = (const char *) buffer + 64;
157 len -= 64;
158 }
159 else
160#endif
161 {
162 SHA256_process_block (buffer, len & ~63, ctx);
163 buffer = (const char *) buffer + (len & ~63);
164 len &= 63;
165 }
166 }
167
168 /* Move remaining bytes in internal buffer. */
169 if (len > 0)
170 {
171 size_t left_over = ctx->buflen;
172
173 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
174 left_over += len;
175 if (left_over >= 64)
176 {
177 SHA256_process_block (ctx->buffer, 64, ctx);
178 left_over -= 64;
179 /* The regions in the following copy operation cannot overlap,
180 * because left_over ≤ 64. */
181 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
182 }
183 ctx->buflen = left_over;
184 }
185}
186
187/* --- Code below is the primary difference between sha1.c and SHA256.c --- */
188
189/* SHA256 round constants */
190#define K(I) SHA256_round_constants[I]
191static const uint32_t SHA256_round_constants[64] = {
192 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
193 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
194 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
195 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
196 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
197 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
198 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
199 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
200 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
201 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
202 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
203 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
204 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
205 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
206 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
207 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
208};
209
210/* Round functions. */
211#define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) )
212#define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) )
213
214/* Process LEN bytes of BUFFER, accumulating context into CTX.
215 * It is assumed that LEN % 64 == 0.
216 * Most of this code comes from GnuPG's cipher/sha1.c. */
217
218void
219SHA256_process_block (const void *buffer, size_t len, struct SHA256_ctx *ctx)
220{
221 const uint32_t *words = buffer;
222 size_t nwords = len / sizeof (uint32_t);
223 const uint32_t *endp = words + nwords;
224 uint32_t x[16];
225 uint32_t a = ctx->state[0];
226 uint32_t b = ctx->state[1];
227 uint32_t c = ctx->state[2];
228 uint32_t d = ctx->state[3];
229 uint32_t e = ctx->state[4];
230 uint32_t f = ctx->state[5];
231 uint32_t g = ctx->state[6];
232 uint32_t h = ctx->state[7];
233 uint32_t lolen = len;
234
235 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
236 * length of the file up to 2^64 bits. Here we only compute the
237 * number of bytes. Do a double word increment. */
238 ctx->total[0] += lolen;
239 ctx->total[1] += (len >> 31 >> 1) + (ctx->total[0] < lolen);
240
241#define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
242#define S0(x) (rol(x,25)^rol(x,14)^(x>>3))
243#define S1(x) (rol(x,15)^rol(x,13)^(x>>10))
244#define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10))
245#define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7))
246
247#define M(I) ( tm = S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \
248 + S0(x[(I-15)&0x0f]) + x[I&0x0f] \
249 , x[I&0x0f] = tm )
250
251#define R(A,B,C,D,E,F,G,H,K,M) do { t0 = SS0(A) + F2(A,B,C); \
252 t1 = H + SS1(E) \
253 + F1(E,F,G) \
254 + K \
255 + M; \
256 D += t1; H = t0 + t1; \
257 } while(0)
258
259 while (words < endp)
260 {
261 uint32_t tm;
262 uint32_t t0, t1;
263 int t;
264 /* FIXME: see sha1.c for a better implementation. */
265 for (t = 0; t < 16; t++) {
266 x[t] = SWAP (*words);
267 words++;
268 }
269
270 R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
271 R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
272 R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
273 R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
274 R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
275 R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
276 R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
277 R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
278 R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
279 R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
280 R( g, h, a, b, c, d, e, f, K(10), x[10] );
281 R( f, g, h, a, b, c, d, e, K(11), x[11] );
282 R( e, f, g, h, a, b, c, d, K(12), x[12] );
283 R( d, e, f, g, h, a, b, c, K(13), x[13] );
284 R( c, d, e, f, g, h, a, b, K(14), x[14] );
285 R( b, c, d, e, f, g, h, a, K(15), x[15] );
286 R( a, b, c, d, e, f, g, h, K(16), M(16) );
287 R( h, a, b, c, d, e, f, g, K(17), M(17) );
288 R( g, h, a, b, c, d, e, f, K(18), M(18) );
289 R( f, g, h, a, b, c, d, e, K(19), M(19) );
290 R( e, f, g, h, a, b, c, d, K(20), M(20) );
291 R( d, e, f, g, h, a, b, c, K(21), M(21) );
292 R( c, d, e, f, g, h, a, b, K(22), M(22) );
293 R( b, c, d, e, f, g, h, a, K(23), M(23) );
294 R( a, b, c, d, e, f, g, h, K(24), M(24) );
295 R( h, a, b, c, d, e, f, g, K(25), M(25) );
296 R( g, h, a, b, c, d, e, f, K(26), M(26) );
297 R( f, g, h, a, b, c, d, e, K(27), M(27) );
298 R( e, f, g, h, a, b, c, d, K(28), M(28) );
299 R( d, e, f, g, h, a, b, c, K(29), M(29) );
300 R( c, d, e, f, g, h, a, b, K(30), M(30) );
301 R( b, c, d, e, f, g, h, a, K(31), M(31) );
302 R( a, b, c, d, e, f, g, h, K(32), M(32) );
303 R( h, a, b, c, d, e, f, g, K(33), M(33) );
304 R( g, h, a, b, c, d, e, f, K(34), M(34) );
305 R( f, g, h, a, b, c, d, e, K(35), M(35) );
306 R( e, f, g, h, a, b, c, d, K(36), M(36) );
307 R( d, e, f, g, h, a, b, c, K(37), M(37) );
308 R( c, d, e, f, g, h, a, b, K(38), M(38) );
309 R( b, c, d, e, f, g, h, a, K(39), M(39) );
310 R( a, b, c, d, e, f, g, h, K(40), M(40) );
311 R( h, a, b, c, d, e, f, g, K(41), M(41) );
312 R( g, h, a, b, c, d, e, f, K(42), M(42) );
313 R( f, g, h, a, b, c, d, e, K(43), M(43) );
314 R( e, f, g, h, a, b, c, d, K(44), M(44) );
315 R( d, e, f, g, h, a, b, c, K(45), M(45) );
316 R( c, d, e, f, g, h, a, b, K(46), M(46) );
317 R( b, c, d, e, f, g, h, a, K(47), M(47) );
318 R( a, b, c, d, e, f, g, h, K(48), M(48) );
319 R( h, a, b, c, d, e, f, g, K(49), M(49) );
320 R( g, h, a, b, c, d, e, f, K(50), M(50) );
321 R( f, g, h, a, b, c, d, e, K(51), M(51) );
322 R( e, f, g, h, a, b, c, d, K(52), M(52) );
323 R( d, e, f, g, h, a, b, c, K(53), M(53) );
324 R( c, d, e, f, g, h, a, b, K(54), M(54) );
325 R( b, c, d, e, f, g, h, a, K(55), M(55) );
326 R( a, b, c, d, e, f, g, h, K(56), M(56) );
327 R( h, a, b, c, d, e, f, g, K(57), M(57) );
328 R( g, h, a, b, c, d, e, f, K(58), M(58) );
329 R( f, g, h, a, b, c, d, e, K(59), M(59) );
330 R( e, f, g, h, a, b, c, d, K(60), M(60) );
331 R( d, e, f, g, h, a, b, c, K(61), M(61) );
332 R( c, d, e, f, g, h, a, b, K(62), M(62) );
333 R( b, c, d, e, f, g, h, a, K(63), M(63) );
334
335 a = ctx->state[0] += a;
336 b = ctx->state[1] += b;
337 c = ctx->state[2] += c;
338 d = ctx->state[3] += d;
339 e = ctx->state[4] += e;
340 f = ctx->state[5] += f;
341 g = ctx->state[6] += g;
342 h = ctx->state[7] += h;
343 }
344}
