1 /* sha256.c - Functions to compute SHA256 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
4 Copyright (C) 2005, 2006 Free Software Foundation, Inc.
6 This program is free software; you can redistribute it and/or modify it
7 under the terms of the GNU General Public License as published by the
8 Free Software Foundation; either version 2, or (at your option) any
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software Foundation,
18 Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */
20 /* Written by David Madore, considerably copypasting from
21 Scott G. Miller's sha1.c
30 #if __BYTE_ORDER == __BIG_ENDIAN
34 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
37 #define BLOCKSIZE 4096
38 #if BLOCKSIZE % 64 != 0
39 # error "invalid BLOCKSIZE"
42 /* This array contains the bytes used to pad the buffer to the next
44 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
48 Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
49 intializes it to the start constants of the SHA256 algorithm. This
50 must be called before using hash in the call to sha256_hash
53 sha256_init_ctx (struct sha256_ctx *ctx)
55 ctx->state[0] = 0x6a09e667UL;
56 ctx->state[1] = 0xbb67ae85UL;
57 ctx->state[2] = 0x3c6ef372UL;
58 ctx->state[3] = 0xa54ff53aUL;
59 ctx->state[4] = 0x510e527fUL;
60 ctx->state[5] = 0x9b05688cUL;
61 ctx->state[6] = 0x1f83d9abUL;
62 ctx->state[7] = 0x5be0cd19UL;
64 ctx->total[0] = ctx->total[1] = 0;
68 /* Put result from CTX in first 32 bytes following RESBUF. The result
69 must be in little endian byte order.
71 IMPORTANT: On some systems it is required that RESBUF is correctly
72 aligned for a 32-bit value. */
74 sha256_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
78 for (i = 0; i < 8; i++)
79 ((uint32_t *) resbuf)[i] = SWAP (ctx->state[i]);
84 /* Process the remaining bytes in the internal buffer and the usual
85 prolog according to the standard and write the result to RESBUF.
87 IMPORTANT: On some systems it is required that RESBUF is correctly
88 aligned for a 32-bit value. */
90 sha256_conclude_ctx (struct sha256_ctx *ctx)
92 /* Take yet unprocessed bytes into account. */
93 uint32_t bytes = ctx->buflen;
94 size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
96 /* Now count remaining bytes. */
97 ctx->total[0] += bytes;
98 if (ctx->total[0] < bytes)
101 /* Put the 64-bit file length in *bits* at the end of the buffer. */
102 ctx->buffer[size - 2] = SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29));
103 ctx->buffer[size - 1] = SWAP (ctx->total[0] << 3);
105 memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
107 /* Process last bytes. */
108 sha256_process_block (ctx->buffer, size * 4, ctx);
112 sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
114 sha256_conclude_ctx (ctx);
115 return sha256_read_ctx (ctx, resbuf);
118 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The
119 result is always in little endian byte order, so that a byte-wise
120 output yields to the wanted ASCII representation of the message
123 sha256_buffer (const char *buffer, size_t len, void *resblock)
125 struct sha256_ctx ctx;
127 /* Initialize the computation context. */
128 sha256_init_ctx (&ctx);
130 /* Process whole buffer but last len % 64 bytes. */
131 sha256_process_bytes (buffer, len, &ctx);
133 /* Put result in desired memory area. */
134 return sha256_finish_ctx (&ctx, resblock);
138 sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
140 /* When we already have some bits in our internal buffer concatenate
141 both inputs first. */
142 if (ctx->buflen != 0)
144 size_t left_over = ctx->buflen;
145 size_t add = 128 - left_over > len ? len : 128 - left_over;
147 memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
150 if (ctx->buflen > 64)
152 sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
155 /* The regions in the following copy operation cannot overlap. */
157 &((char *) ctx->buffer)[(left_over + add) & ~63],
161 buffer = (const char *) buffer + add;
165 /* Process available complete blocks. */
168 #if !_STRING_ARCH_unaligned
169 # define alignof(type) offsetof (struct { char c; type x; }, x)
170 # define UNALIGNED_P(p) (((size_t) p) % alignof (uint32_t) != 0)
171 if (UNALIGNED_P (buffer))
174 sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
175 buffer = (const char *) buffer + 64;
181 sha256_process_block (buffer, len & ~63, ctx);
182 buffer = (const char *) buffer + (len & ~63);
187 /* Move remaining bytes in internal buffer. */
190 size_t left_over = ctx->buflen;
192 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
196 sha256_process_block (ctx->buffer, 64, ctx);
198 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
200 ctx->buflen = left_over;
204 /* --- Code below is the primary difference between sha1.c and sha256.c --- */
206 /* SHA256 round constants */
207 #define K(I) sha256_round_constants[I]
208 static const uint32_t sha256_round_constants[64] = {
209 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
210 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
211 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
212 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
213 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
214 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
215 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
216 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
217 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
218 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
219 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
220 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
221 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
222 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
223 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
224 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
227 /* Round functions. */
228 #define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) )
229 #define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) )
231 /* Process LEN bytes of BUFFER, accumulating context into CTX.
232 It is assumed that LEN % 64 == 0.
233 Most of this code comes from GnuPG's cipher/sha1.c. */
236 sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
238 const uint32_t *words = buffer;
239 size_t nwords = len / sizeof (uint32_t);
240 const uint32_t *endp = words + nwords;
242 uint32_t a = ctx->state[0];
243 uint32_t b = ctx->state[1];
244 uint32_t c = ctx->state[2];
245 uint32_t d = ctx->state[3];
246 uint32_t e = ctx->state[4];
247 uint32_t f = ctx->state[5];
248 uint32_t g = ctx->state[6];
249 uint32_t h = ctx->state[7];
251 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
252 length of the file up to 2^64 bits. Here we only compute the
253 number of bytes. Do a double word increment. */
254 ctx->total[0] += len;
255 if (ctx->total[0] < len)
258 #define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
259 #define S0(x) (rol(x,25)^rol(x,14)^(x>>3))
260 #define S1(x) (rol(x,15)^rol(x,13)^(x>>10))
261 #define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10))
262 #define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7))
264 #define M(I) ( tm = S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \
265 + S0(x[(I-15)&0x0f]) + x[I&0x0f] \
268 #define R(A,B,C,D,E,F,G,H,K,M) do { t0 = SS0(A) + F2(A,B,C); \
273 D += t1; H = t0 + t1; \
281 /* FIXME: see sha1.c for a better implementation. */
282 for (t = 0; t < 16; t++)
284 x[t] = SWAP (*words);
288 R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
289 R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
290 R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
291 R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
292 R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
293 R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
294 R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
295 R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
296 R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
297 R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
298 R( g, h, a, b, c, d, e, f, K(10), x[10] );
299 R( f, g, h, a, b, c, d, e, K(11), x[11] );
300 R( e, f, g, h, a, b, c, d, K(12), x[12] );
301 R( d, e, f, g, h, a, b, c, K(13), x[13] );
302 R( c, d, e, f, g, h, a, b, K(14), x[14] );
303 R( b, c, d, e, f, g, h, a, K(15), x[15] );
304 R( a, b, c, d, e, f, g, h, K(16), M(16) );
305 R( h, a, b, c, d, e, f, g, K(17), M(17) );
306 R( g, h, a, b, c, d, e, f, K(18), M(18) );
307 R( f, g, h, a, b, c, d, e, K(19), M(19) );
308 R( e, f, g, h, a, b, c, d, K(20), M(20) );
309 R( d, e, f, g, h, a, b, c, K(21), M(21) );
310 R( c, d, e, f, g, h, a, b, K(22), M(22) );
311 R( b, c, d, e, f, g, h, a, K(23), M(23) );
312 R( a, b, c, d, e, f, g, h, K(24), M(24) );
313 R( h, a, b, c, d, e, f, g, K(25), M(25) );
314 R( g, h, a, b, c, d, e, f, K(26), M(26) );
315 R( f, g, h, a, b, c, d, e, K(27), M(27) );
316 R( e, f, g, h, a, b, c, d, K(28), M(28) );
317 R( d, e, f, g, h, a, b, c, K(29), M(29) );
318 R( c, d, e, f, g, h, a, b, K(30), M(30) );
319 R( b, c, d, e, f, g, h, a, K(31), M(31) );
320 R( a, b, c, d, e, f, g, h, K(32), M(32) );
321 R( h, a, b, c, d, e, f, g, K(33), M(33) );
322 R( g, h, a, b, c, d, e, f, K(34), M(34) );
323 R( f, g, h, a, b, c, d, e, K(35), M(35) );
324 R( e, f, g, h, a, b, c, d, K(36), M(36) );
325 R( d, e, f, g, h, a, b, c, K(37), M(37) );
326 R( c, d, e, f, g, h, a, b, K(38), M(38) );
327 R( b, c, d, e, f, g, h, a, K(39), M(39) );
328 R( a, b, c, d, e, f, g, h, K(40), M(40) );
329 R( h, a, b, c, d, e, f, g, K(41), M(41) );
330 R( g, h, a, b, c, d, e, f, K(42), M(42) );
331 R( f, g, h, a, b, c, d, e, K(43), M(43) );
332 R( e, f, g, h, a, b, c, d, K(44), M(44) );
333 R( d, e, f, g, h, a, b, c, K(45), M(45) );
334 R( c, d, e, f, g, h, a, b, K(46), M(46) );
335 R( b, c, d, e, f, g, h, a, K(47), M(47) );
336 R( a, b, c, d, e, f, g, h, K(48), M(48) );
337 R( h, a, b, c, d, e, f, g, K(49), M(49) );
338 R( g, h, a, b, c, d, e, f, K(50), M(50) );
339 R( f, g, h, a, b, c, d, e, K(51), M(51) );
340 R( e, f, g, h, a, b, c, d, K(52), M(52) );
341 R( d, e, f, g, h, a, b, c, K(53), M(53) );
342 R( c, d, e, f, g, h, a, b, K(54), M(54) );
343 R( b, c, d, e, f, g, h, a, K(55), M(55) );
344 R( a, b, c, d, e, f, g, h, K(56), M(56) );
345 R( h, a, b, c, d, e, f, g, K(57), M(57) );
346 R( g, h, a, b, c, d, e, f, K(58), M(58) );
347 R( f, g, h, a, b, c, d, e, K(59), M(59) );
348 R( e, f, g, h, a, b, c, d, K(60), M(60) );
349 R( d, e, f, g, h, a, b, c, K(61), M(61) );
350 R( c, d, e, f, g, h, a, b, K(62), M(62) );
351 R( b, c, d, e, f, g, h, a, K(63), M(63) );
353 a = ctx->state[0] += a;
354 b = ctx->state[1] += b;
355 c = ctx->state[2] += c;
356 d = ctx->state[3] += d;
357 e = ctx->state[4] += e;
358 f = ctx->state[5] += f;
359 g = ctx->state[6] += g;
360 h = ctx->state[7] += h;