Back to index

glibc  2.9
sha256.c
Go to the documentation of this file.
00001 /* Functions to compute SHA256 message digest of files or memory blocks.
00002    according to the definition of SHA256 in FIPS 180-2.
00003    Copyright (C) 2007 Free Software Foundation, Inc.
00004    This file is part of the GNU C Library.
00005 
00006    The GNU C Library is free software; you can redistribute it and/or
00007    modify it under the terms of the GNU Lesser General Public
00008    License as published by the Free Software Foundation; either
00009    version 2.1 of the License, or (at your option) any later version.
00010 
00011    The GNU C Library is distributed in the hope that it will be useful,
00012    but WITHOUT ANY WARRANTY; without even the implied warranty of
00013    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
00014    Lesser General Public License for more details.
00015 
00016    You should have received a copy of the GNU Lesser General Public
00017    License along with the GNU C Library; if not, write to the Free
00018    Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
00019    02111-1307 USA.  */
00020 
00021 /* Written by Ulrich Drepper <drepper@redhat.com>, 2007.  */
00022 
00023 #ifdef HAVE_CONFIG_H
00024 # include <config.h>
00025 #endif
00026 
00027 #include <endian.h>
00028 #include <stdlib.h>
00029 #include <string.h>
00030 #include <sys/types.h>
00031 
00032 #include "sha256.h"
00033 
00034 #if __BYTE_ORDER == __LITTLE_ENDIAN
00035 # ifdef _LIBC
00036 #  include <byteswap.h>
00037 #  define SWAP(n) bswap_32 (n)
00038 # else
00039 #  define SWAP(n) \
00040     (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
00041 # endif
00042 #else
00043 # define SWAP(n) (n)
00044 #endif
00045 
00046 
00047 /* This array contains the bytes used to pad the buffer to the next
00048    64-byte boundary.  (FIPS 180-2:5.1.1)  */
00049 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ...  */ };
00050 
00051 
00052 /* Constants for SHA256 from FIPS 180-2:4.2.2.  */
00053 static const uint32_t K[64] =
00054   {
00055     0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
00056     0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
00057     0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
00058     0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
00059     0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
00060     0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
00061     0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
00062     0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
00063     0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
00064     0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
00065     0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
00066     0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
00067     0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
00068     0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
00069     0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
00070     0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
00071   };
00072 
00073 
00074 /* Process LEN bytes of BUFFER, accumulating context into CTX.
00075    It is assumed that LEN % 64 == 0.  */
00076 static void
00077 sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
00078 {
00079   const uint32_t *words = buffer;
00080   size_t nwords = len / sizeof (uint32_t);
00081   uint32_t a = ctx->H[0];
00082   uint32_t b = ctx->H[1];
00083   uint32_t c = ctx->H[2];
00084   uint32_t d = ctx->H[3];
00085   uint32_t e = ctx->H[4];
00086   uint32_t f = ctx->H[5];
00087   uint32_t g = ctx->H[6];
00088   uint32_t h = ctx->H[7];
00089 
00090   /* First increment the byte count.  FIPS 180-2 specifies the possible
00091      length of the file up to 2^64 bits.  Here we only compute the
00092      number of bytes.  Do a double word increment.  */
00093   ctx->total[0] += len;
00094   if (ctx->total[0] < len)
00095     ++ctx->total[1];
00096 
00097   /* Process all bytes in the buffer with 64 bytes in each round of
00098      the loop.  */
00099   while (nwords > 0)
00100     {
00101       uint32_t W[64];
00102       uint32_t a_save = a;
00103       uint32_t b_save = b;
00104       uint32_t c_save = c;
00105       uint32_t d_save = d;
00106       uint32_t e_save = e;
00107       uint32_t f_save = f;
00108       uint32_t g_save = g;
00109       uint32_t h_save = h;
00110 
00111       /* Operators defined in FIPS 180-2:4.1.2.  */
00112 #define Ch(x, y, z) ((x & y) ^ (~x & z))
00113 #define Maj(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
00114 #define S0(x) (CYCLIC (x, 2) ^ CYCLIC (x, 13) ^ CYCLIC (x, 22))
00115 #define S1(x) (CYCLIC (x, 6) ^ CYCLIC (x, 11) ^ CYCLIC (x, 25))
00116 #define R0(x) (CYCLIC (x, 7) ^ CYCLIC (x, 18) ^ (x >> 3))
00117 #define R1(x) (CYCLIC (x, 17) ^ CYCLIC (x, 19) ^ (x >> 10))
00118 
00119       /* It is unfortunate that C does not provide an operator for
00120         cyclic rotation.  Hope the C compiler is smart enough.  */
00121 #define CYCLIC(w, s) ((w >> s) | (w << (32 - s)))
00122 
00123       /* Compute the message schedule according to FIPS 180-2:6.2.2 step 2.  */
00124       for (unsigned int t = 0; t < 16; ++t)
00125        {
00126          W[t] = SWAP (*words);
00127          ++words;
00128        }
00129       for (unsigned int t = 16; t < 64; ++t)
00130        W[t] = R1 (W[t - 2]) + W[t - 7] + R0 (W[t - 15]) + W[t - 16];
00131 
00132       /* The actual computation according to FIPS 180-2:6.2.2 step 3.  */
00133       for (unsigned int t = 0; t < 64; ++t)
00134        {
00135          uint32_t T1 = h + S1 (e) + Ch (e, f, g) + K[t] + W[t];
00136          uint32_t T2 = S0 (a) + Maj (a, b, c);
00137          h = g;
00138          g = f;
00139          f = e;
00140          e = d + T1;
00141          d = c;
00142          c = b;
00143          b = a;
00144          a = T1 + T2;
00145        }
00146 
00147       /* Add the starting values of the context according to FIPS 180-2:6.2.2
00148         step 4.  */
00149       a += a_save;
00150       b += b_save;
00151       c += c_save;
00152       d += d_save;
00153       e += e_save;
00154       f += f_save;
00155       g += g_save;
00156       h += h_save;
00157 
00158       /* Prepare for the next round.  */
00159       nwords -= 16;
00160     }
00161 
00162   /* Put checksum in context given as argument.  */
00163   ctx->H[0] = a;
00164   ctx->H[1] = b;
00165   ctx->H[2] = c;
00166   ctx->H[3] = d;
00167   ctx->H[4] = e;
00168   ctx->H[5] = f;
00169   ctx->H[6] = g;
00170   ctx->H[7] = h;
00171 }
00172 
00173 
00174 /* Initialize structure containing state of computation.
00175    (FIPS 180-2:5.3.2)  */
00176 void
00177 __sha256_init_ctx (ctx)
00178      struct sha256_ctx *ctx;
00179 {
00180   ctx->H[0] = 0x6a09e667;
00181   ctx->H[1] = 0xbb67ae85;
00182   ctx->H[2] = 0x3c6ef372;
00183   ctx->H[3] = 0xa54ff53a;
00184   ctx->H[4] = 0x510e527f;
00185   ctx->H[5] = 0x9b05688c;
00186   ctx->H[6] = 0x1f83d9ab;
00187   ctx->H[7] = 0x5be0cd19;
00188 
00189   ctx->total[0] = ctx->total[1] = 0;
00190   ctx->buflen = 0;
00191 }
00192 
00193 
00194 /* Process the remaining bytes in the internal buffer and the usual
00195    prolog according to the standard and write the result to RESBUF.
00196 
00197    IMPORTANT: On some systems it is required that RESBUF is correctly
00198    aligned for a 32 bits value.  */
00199 void *
00200 __sha256_finish_ctx (ctx, resbuf)
00201      struct sha256_ctx *ctx;
00202      void *resbuf;
00203 {
00204   /* Take yet unprocessed bytes into account.  */
00205   uint32_t bytes = ctx->buflen;
00206   size_t pad;
00207 
00208   /* Now count remaining bytes.  */
00209   ctx->total[0] += bytes;
00210   if (ctx->total[0] < bytes)
00211     ++ctx->total[1];
00212 
00213   pad = bytes >= 56 ? 64 + 56 - bytes : 56 - bytes;
00214   memcpy (&ctx->buffer[bytes], fillbuf, pad);
00215 
00216   /* Put the 64-bit file length in *bits* at the end of the buffer.  */
00217   *(uint32_t *) &ctx->buffer[bytes + pad + 4] = SWAP (ctx->total[0] << 3);
00218   *(uint32_t *) &ctx->buffer[bytes + pad] = SWAP ((ctx->total[1] << 3) |
00219                                             (ctx->total[0] >> 29));
00220 
00221   /* Process last bytes.  */
00222   sha256_process_block (ctx->buffer, bytes + pad + 8, ctx);
00223 
00224   /* Put result from CTX in first 32 bytes following RESBUF.  */
00225   for (unsigned int i = 0; i < 8; ++i)
00226     ((uint32_t *) resbuf)[i] = SWAP (ctx->H[i]);
00227 
00228   return resbuf;
00229 }
00230 
00231 
00232 void
00233 __sha256_process_bytes (buffer, len, ctx)
00234      const void *buffer;
00235      size_t len;
00236      struct sha256_ctx *ctx;
00237 {
00238   /* When we already have some bits in our internal buffer concatenate
00239      both inputs first.  */
00240   if (ctx->buflen != 0)
00241     {
00242       size_t left_over = ctx->buflen;
00243       size_t add = 128 - left_over > len ? len : 128 - left_over;
00244 
00245       memcpy (&ctx->buffer[left_over], buffer, add);
00246       ctx->buflen += add;
00247 
00248       if (ctx->buflen > 64)
00249        {
00250          sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
00251 
00252          ctx->buflen &= 63;
00253          /* The regions in the following copy operation cannot overlap.  */
00254          memcpy (ctx->buffer, &ctx->buffer[(left_over + add) & ~63],
00255                 ctx->buflen);
00256        }
00257 
00258       buffer = (const char *) buffer + add;
00259       len -= add;
00260     }
00261 
00262   /* Process available complete blocks.  */
00263   if (len >= 64)
00264     {
00265 #if !_STRING_ARCH_unaligned
00266 /* To check alignment gcc has an appropriate operator.  Other
00267    compilers don't.  */
00268 # if __GNUC__ >= 2
00269 #  define UNALIGNED_P(p) (((uintptr_t) p) % __alignof__ (uint32_t) != 0)
00270 # else
00271 #  define UNALIGNED_P(p) (((uintptr_t) p) % sizeof (uint32_t) != 0)
00272 # endif
00273       if (UNALIGNED_P (buffer))
00274        while (len > 64)
00275          {
00276            sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
00277            buffer = (const char *) buffer + 64;
00278            len -= 64;
00279          }
00280       else
00281 #endif
00282        {
00283          sha256_process_block (buffer, len & ~63, ctx);
00284          buffer = (const char *) buffer + (len & ~63);
00285          len &= 63;
00286        }
00287     }
00288 
00289   /* Move remaining bytes into internal buffer.  */
00290   if (len > 0)
00291     {
00292       size_t left_over = ctx->buflen;
00293 
00294       memcpy (&ctx->buffer[left_over], buffer, len);
00295       left_over += len;
00296       if (left_over >= 64)
00297        {
00298          sha256_process_block (ctx->buffer, 64, ctx);
00299          left_over -= 64;
00300          memcpy (ctx->buffer, &ctx->buffer[64], left_over);
00301        }
00302       ctx->buflen = left_over;
00303     }
00304 }