2
* Copyright (c) 2001-2003 Allan Saddi <allan@saddi.com>
5
* Redistribution and use in source and binary forms, with or without
6
* modification, are permitted provided that the following conditions
8
* 1. Redistributions of source code must retain the above copyright
9
* notice, this list of conditions and the following disclaimer.
10
* 2. Redistributions in binary form must reproduce the above copyright
11
* notice, this list of conditions and the following disclaimer in the
12
* documentation and/or other materials provided with the distribution.
14
* THIS SOFTWARE IS PROVIDED BY ALLAN SADDI AND HIS CONTRIBUTORS ``AS IS''
15
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17
* ARE DISCLAIMED. IN NO EVENT SHALL ALLAN SADDI OR HIS CONTRIBUTORS BE
18
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
19
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
20
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
21
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
22
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
23
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
24
* POSSIBILITY OF SUCH DAMAGE.
26
* $Id: sha256.c 680 2003-07-25 21:57:49Z asaddi $
30
* Define WORDS_BIGENDIAN if compiling on a big-endian architecture.
32
* Define SHA256_TEST to test the implementation using the NIST's
33
* sample messages. The output should be:
35
* ba7816bf 8f01cfea 414140de 5dae2223 b00361a3 96177a9c b410ff61 f20015ad
36
* 248d6a61 d20638b8 e5c02693 0c3e6039 a33ce459 64ff2167 f6ecedd4 19db06c1
37
* cdc76e5c 9914fb92 81a1c7e2 84d73e67 f1809a48 a497200e 046d39cc c7112cd0
2
* Copyright (C) 2001 Niels Moller
4
* This program is free software; you can redistribute it and/or
5
* modify it under the terms of the GNU General Public License as
6
* published by the Free Software Foundation; either version 2 of the
7
* License, or (at your option) any later version.
9
* The nettle library is distributed in the hope that it will be useful, but
10
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
12
* License for more details.
14
* You should have received a copy of the GNU Lesser General Public License
15
* along with the nettle library; see the file COPYING.LIB. If not, write to
16
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
41
#include "clamav-config.h"
42
#endif /* HAVE_CONFIG_H */
45
# include <inttypes.h>
20
/* Modelled after the sha1.c code by Peter Gutmann. */
52
23
#include <string.h>
54
26
#include "sha256.h"
57
static const char rcsid[] =
58
"$Id: sha256.c 680 2003-07-25 21:57:49Z asaddi $";
61
#define ROTL(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
62
#define ROTR(x, n) (((x) >> (n)) | ((x) << (32 - (n))))
64
#define Ch(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
65
#define Maj(x, y, z) (((x) & ((y) | (z))) | ((y) & (z)))
66
#define SIGMA0(x) (ROTR((x), 2) ^ ROTR((x), 13) ^ ROTR((x), 22))
67
#define SIGMA1(x) (ROTR((x), 6) ^ ROTR((x), 11) ^ ROTR((x), 25))
68
#define sigma0(x) (ROTR((x), 7) ^ ROTR((x), 18) ^ ((x) >> 3))
69
#define sigma1(x) (ROTR((x), 17) ^ ROTR((x), 19) ^ ((x) >> 10))
71
#define DO_ROUND() { \
72
t1 = h + SIGMA1(e) + Ch(e, f, g) + *(Kp++) + *(W++); \
73
t2 = SIGMA0(a) + Maj(a, b, c); \
28
/* A block, treated as a sequence of 32-bit words. */
29
#define SHA256_DATA_LENGTH 16
31
#define ROTR(n,x) ((x)>>(n) | ((x)<<(32-(n))))
32
#define SHR(n,x) ((x)>>(n))
34
#define Choice(x,y,z) ( (z) ^ ( (x) & ( (y) ^ (z) ) ) )
35
#define Majority(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) )
37
#define S0(x) (ROTR(2,(x)) ^ ROTR(13,(x)) ^ ROTR(22,(x)))
38
#define S1(x) (ROTR(6,(x)) ^ ROTR(11,(x)) ^ ROTR(25,(x)))
40
#define s0(x) (ROTR(7,(x)) ^ ROTR(18,(x)) ^ SHR(3,(x)))
41
#define s1(x) (ROTR(17,(x)) ^ ROTR(19,(x)) ^ SHR(10,(x)))
84
43
static const uint32_t K[64] = {
85
0x428a2f98L, 0x71374491L, 0xb5c0fbcfL, 0xe9b5dba5L,
86
0x3956c25bL, 0x59f111f1L, 0x923f82a4L, 0xab1c5ed5L,
87
0xd807aa98L, 0x12835b01L, 0x243185beL, 0x550c7dc3L,
88
0x72be5d74L, 0x80deb1feL, 0x9bdc06a7L, 0xc19bf174L,
89
0xe49b69c1L, 0xefbe4786L, 0x0fc19dc6L, 0x240ca1ccL,
90
0x2de92c6fL, 0x4a7484aaL, 0x5cb0a9dcL, 0x76f988daL,
91
0x983e5152L, 0xa831c66dL, 0xb00327c8L, 0xbf597fc7L,
92
0xc6e00bf3L, 0xd5a79147L, 0x06ca6351L, 0x14292967L,
93
0x27b70a85L, 0x2e1b2138L, 0x4d2c6dfcL, 0x53380d13L,
94
0x650a7354L, 0x766a0abbL, 0x81c2c92eL, 0x92722c85L,
95
0xa2bfe8a1L, 0xa81a664bL, 0xc24b8b70L, 0xc76c51a3L,
96
0xd192e819L, 0xd6990624L, 0xf40e3585L, 0x106aa070L,
97
0x19a4c116L, 0x1e376c08L, 0x2748774cL, 0x34b0bcb5L,
98
0x391c0cb3L, 0x4ed8aa4aL, 0x5b9cca4fL, 0x682e6ff3L,
99
0x748f82eeL, 0x78a5636fL, 0x84c87814L, 0x8cc70208L,
100
0x90befffaL, 0xa4506cebL, 0xbef9a3f7L, 0xc67178f2L
103
#ifndef RUNTIME_ENDIAN
105
#if WORDS_BIGENDIAN == 1
107
#define BYTESWAP(x) (x)
108
#define BYTESWAP64(x) (x)
110
#else /* WORDS_BIGENDIAN */
112
#define BYTESWAP(x) ((ROTR((x), 8) & 0xff00ff00L) | \
113
(ROTL((x), 8) & 0x00ff00ffL))
114
#define BYTESWAP64(x) _byteswap64(x)
116
static inline uint64_t _byteswap64(uint64_t x)
118
uint32_t a = x >> 32;
119
uint32_t b = (uint32_t) x;
120
return ((uint64_t) BYTESWAP(b) << 32) | (uint64_t) BYTESWAP(a);
123
#endif /* WORDS_BIGENDIAN */
125
#else /* !RUNTIME_ENDIAN */
127
#define BYTESWAP(x) _byteswap(sc->littleEndian, x)
128
#define BYTESWAP64(x) _byteswap64(sc->littleEndian, x)
130
#define _BYTESWAP(x) ((ROTR((x), 8) & 0xff00ff00L) | \
131
(ROTL((x), 8) & 0x00ff00ffL))
132
#define _BYTESWAP64(x) __byteswap64(x)
134
static inline uint64_t __byteswap64(uint64_t x)
136
uint32_t a = x >> 32;
137
uint32_t b = (uint32_t) x;
138
return ((uint64_t) _BYTESWAP(b) << 32) | (uint64_t) _BYTESWAP(a);
141
static inline uint32_t _byteswap(int littleEndian, uint32_t x)
149
static inline uint64_t _byteswap64(int littleEndian, uint64_t x)
154
return _BYTESWAP64(x);
157
static inline void setEndian(int *littleEndianp)
165
*littleEndianp = endian.b[0] != 0;
168
#endif /* !RUNTIME_ENDIAN */
170
static const uint8_t padding[64] = {
171
0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
172
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
173
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
174
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
175
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
176
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
177
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
178
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
182
sha256_init (SHA256_CTX *sc)
184
#ifdef RUNTIME_ENDIAN
185
setEndian (&sc->littleEndian);
186
#endif /* RUNTIME_ENDIAN */
188
sc->totalLength = 0LL;
189
sc->hash[0] = 0x6a09e667L;
190
sc->hash[1] = 0xbb67ae85L;
191
sc->hash[2] = 0x3c6ef372L;
192
sc->hash[3] = 0xa54ff53aL;
193
sc->hash[4] = 0x510e527fL;
194
sc->hash[5] = 0x9b05688cL;
195
sc->hash[6] = 0x1f83d9abL;
196
sc->hash[7] = 0x5be0cd19L;
197
sc->bufferLength = 0L;
205
memset (buf, 0, sizeof (buf));
206
size -= sizeof (buf);
212
SHA256Guts (SHA256_CTX *sc, const uint32_t *cbuf)
215
uint32_t *W, *W2, *W7, *W15, *W16;
216
uint32_t a, b, c, d, e, f, g, h;
223
for (i = 15; i >= 0; i--) {
224
*(W++) = BYTESWAP(*cbuf);
233
for (i = 47; i >= 0; i--) {
234
*(W++) = sigma1(*W2) + *(W7++) + sigma0(*W15) + *(W16++);
251
#ifndef SHA256_UNROLL
252
#define SHA256_UNROLL 4
253
#endif /* !SHA256_UNROLL */
255
#if SHA256_UNROLL == 1
256
for (i = 63; i >= 0; i--)
258
#elif SHA256_UNROLL == 2
259
for (i = 31; i >= 0; i--) {
260
DO_ROUND(); DO_ROUND();
262
#elif SHA256_UNROLL == 4
263
for (i = 15; i >= 0; i--) {
264
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
266
#elif SHA256_UNROLL == 8
267
for (i = 7; i >= 0; i--) {
268
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
269
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
271
#elif SHA256_UNROLL == 16
272
for (i = 3; i >= 0; i--) {
273
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
274
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
275
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
276
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
278
#elif SHA256_UNROLL == 32
279
for (i = 1; i >= 0; i--) {
280
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
281
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
282
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
283
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
284
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
285
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
286
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
287
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
289
#elif SHA256_UNROLL == 64
290
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
291
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
292
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
293
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
294
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
295
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
296
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
297
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
298
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
299
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
300
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
301
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
302
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
303
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
304
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
305
DO_ROUND(); DO_ROUND(); DO_ROUND(); DO_ROUND();
307
#error "SHA256_UNROLL must be 1, 2, 4, 8, 16, 32, or 64!"
321
sha256_update (SHA256_CTX *sc, const void *vdata, uint32_t len)
323
const uint8_t *data = vdata;
324
uint32_t bufferBytesLeft;
325
uint32_t bytesToCopy;
327
#ifdef SHA256_FAST_COPY
328
if (sc->bufferLength) {
329
bufferBytesLeft = 64L - sc->bufferLength;
331
bytesToCopy = bufferBytesLeft;
332
if (bytesToCopy > len)
335
memcpy (&sc->buffer.bytes[sc->bufferLength], data, bytesToCopy);
337
sc->totalLength += bytesToCopy * 8L;
339
sc->bufferLength += bytesToCopy;
343
if (sc->bufferLength == 64L) {
344
SHA256Guts (sc, sc->buffer.words);
346
sc->bufferLength = 0L;
351
sc->totalLength += 512L;
353
SHA256Guts (sc, data);
361
memcpy (&sc->buffer.bytes[sc->bufferLength], data, len);
363
sc->totalLength += len * 8L;
365
sc->bufferLength += len;
367
#else /* SHA256_FAST_COPY */
369
bufferBytesLeft = 64L - sc->bufferLength;
371
bytesToCopy = bufferBytesLeft;
372
if (bytesToCopy > len)
375
memcpy (&sc->buffer.bytes[sc->bufferLength], data, bytesToCopy);
377
sc->totalLength += bytesToCopy * 8L;
379
sc->bufferLength += bytesToCopy;
383
if (sc->bufferLength == 64L) {
384
SHA256Guts (sc, sc->buffer.words);
386
sc->bufferLength = 0L;
389
#endif /* SHA256_FAST_COPY */
392
burnStack (sizeof (uint32_t[74]) + sizeof (uint32_t *[6]) + sizeof (int));
396
sha256_final (SHA256_CTX *sc, uint8_t hash[SHA256_HASH_SIZE])
402
bytesToPad = 120L - sc->bufferLength;
403
if (bytesToPad > 64L)
406
lengthPad = BYTESWAP64(sc->totalLength);
408
sha256_update (sc, padding, bytesToPad);
409
sha256_update (sc, &lengthPad, 8L);
412
for (i = 0; i < SHA256_HASH_WORDS; i++) {
413
#ifdef SHA256_FAST_COPY
414
*((uint32_t *) hash) = BYTESWAP(sc->hash[i]);
415
#else /* SHA256_FAST_COPY */
416
hash[0] = (uint8_t) (sc->hash[i] >> 24);
417
hash[1] = (uint8_t) (sc->hash[i] >> 16);
418
hash[2] = (uint8_t) (sc->hash[i] >> 8);
419
hash[3] = (uint8_t) sc->hash[i];
420
#endif /* SHA256_FAST_COPY */
433
main (int argc, char *argv[])
436
uint8_t hash[SHA256_HASH_SIZE];
441
sha256_update (&foo, "abc", 3);
442
sha256_final (&foo, hash);
444
for (i = 0; i < SHA256_HASH_SIZE;) {
445
printf ("%02x", hash[i++]);
453
"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
455
sha256_final (&foo, hash);
457
for (i = 0; i < SHA256_HASH_SIZE;) {
458
printf ("%02x", hash[i++]);
465
memset (buf, 'a', sizeof (buf));
466
for (i = 0; i < 1000; i++)
467
sha256_update (&foo, buf, sizeof (buf));
468
sha256_final (&foo, hash);
470
for (i = 0; i < SHA256_HASH_SIZE;) {
471
printf ("%02x", hash[i++]);
480
#endif /* SHA256_TEST */
44
0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
45
0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
46
0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
47
0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
48
0xe49b69c1UL, 0xefbe4786UL, 0xfc19dc6UL, 0x240ca1ccUL,
49
0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
50
0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
51
0xc6e00bf3UL, 0xd5a79147UL, 0x6ca6351UL, 0x14292967UL,
52
0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
53
0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
54
0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
55
0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
56
0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
57
0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
58
0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
59
0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
63
( W[(i) & 15 ] += (s1(W[((i)-2) & 15]) + W[((i)-7) & 15] + s0(W[((i)-15) & 15])) )
65
#define ROUND(a,b,c,d,e,f,g,h,k,data) do { \
66
uint32_t T1 = h + S1(e) + Choice(e,f,g) + k + data; \
67
uint32_t T2 = S0(a) + Majority(a,b,c); \
73
#define EXTRACT_UCHAR(p) (*(const unsigned char *)(p))
76
#define STRING2INT(s) ((((((EXTRACT_UCHAR(s) << 8) \
77
| EXTRACT_UCHAR(s+1)) << 8) \
78
| EXTRACT_UCHAR(s+2)) << 8) \
82
#define EXTRACT_UCHAR(p) (*(const mutils_word8 *)(p))
85
#define STRING2INT(s) ((((((EXTRACT_UCHAR(s) << 8) \
86
| EXTRACT_UCHAR(s+1)) << 8) \
87
| EXTRACT_UCHAR(s+2)) << 8) \
90
/* Initialize the SHA values */
92
void sha256_init(struct sha256_ctx *ctx)
94
/* Initial values, also generated by the shadata program. */
95
static const uint32_t H0[_SHA256_DIGEST_LENGTH] = {
96
0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL,
97
0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL,
100
memcpy(ctx->state, H0, sizeof(H0));
102
/* Initialize bit count */
103
ctx->count_low = ctx->count_high = 0;
105
/* Initialize buffer */
109
/* Perform the SHA transformation. Note that this code, like MD5, seems to
110
break some optimizing compilers due to the complexity of the expressions
111
and the size of the basic block. It may be necessary to split it into
112
sections, e.g. based on the four subrounds
114
Note that this function destroys the data area */
116
static void sha256_transform(uint32_t *state, uint32_t *data)
118
uint32_t A, B, C, D, E, F, G, H; /* Local vars */
123
/* Set up first buffer and local data buffer */
134
/* First 16 subrounds that act on the original data */
136
for (i = 0, k = K, d = data; i < 16; i += 8, k += 8, d += 8) {
137
ROUND(A, B, C, D, E, F, G, H, k[0], d[0]);
138
ROUND(H, A, B, C, D, E, F, G, k[1], d[1]);
139
ROUND(G, H, A, B, C, D, E, F, k[2], d[2]);
140
ROUND(F, G, H, A, B, C, D, E, k[3], d[3]);
141
ROUND(E, F, G, H, A, B, C, D, k[4], d[4]);
142
ROUND(D, E, F, G, H, A, B, C, k[5], d[5]);
143
ROUND(C, D, E, F, G, H, A, B, k[6], d[6]);
144
ROUND(B, C, D, E, F, G, H, A, k[7], d[7]);
147
for (; i < 64; i += 16, k += 16) {
148
ROUND(A, B, C, D, E, F, G, H, k[0], EXPAND(data, 0));
149
ROUND(H, A, B, C, D, E, F, G, k[1], EXPAND(data, 1));
150
ROUND(G, H, A, B, C, D, E, F, k[2], EXPAND(data, 2));
151
ROUND(F, G, H, A, B, C, D, E, k[3], EXPAND(data, 3));
152
ROUND(E, F, G, H, A, B, C, D, k[4], EXPAND(data, 4));
153
ROUND(D, E, F, G, H, A, B, C, k[5], EXPAND(data, 5));
154
ROUND(C, D, E, F, G, H, A, B, k[6], EXPAND(data, 6));
155
ROUND(B, C, D, E, F, G, H, A, k[7], EXPAND(data, 7));
156
ROUND(A, B, C, D, E, F, G, H, k[8], EXPAND(data, 8));
157
ROUND(H, A, B, C, D, E, F, G, k[9], EXPAND(data, 9));
158
ROUND(G, H, A, B, C, D, E, F, k[10], EXPAND(data, 10));
159
ROUND(F, G, H, A, B, C, D, E, k[11], EXPAND(data, 11));
160
ROUND(E, F, G, H, A, B, C, D, k[12], EXPAND(data, 12));
161
ROUND(D, E, F, G, H, A, B, C, k[13], EXPAND(data, 13));
162
ROUND(C, D, E, F, G, H, A, B, k[14], EXPAND(data, 14));
163
ROUND(B, C, D, E, F, G, H, A, k[15], EXPAND(data, 15));
177
static void sha256_block(struct sha256_ctx *ctx, const unsigned char *block)
179
uint32_t data[SHA256_DATA_LENGTH];
182
/* Update block count */
183
if (!++ctx->count_low)
186
/* Endian independent conversion */
187
for (i = 0; i < SHA256_DATA_LENGTH; i++, block += 4)
188
data[i] = STRING2INT(block);
190
sha256_transform(ctx->state, data);
194
sha256_update(struct sha256_ctx *ctx, const unsigned char *buffer, uint32_t length)
198
if (ctx->index) { /* Try to fill partial block */
199
left = SHA256_DATA_SIZE - ctx->index;
201
memcpy(ctx->block + ctx->index, buffer, length);
202
ctx->index += length;
203
return; /* Finished */
205
memcpy(ctx->block + ctx->index, buffer, left);
206
sha256_block(ctx, ctx->block);
211
while (length >= SHA256_DATA_SIZE) {
212
sha256_block(ctx, buffer);
213
buffer += SHA256_DATA_SIZE;
214
length -= SHA256_DATA_SIZE;
216
/* Buffer leftovers */
217
/* NOTE: The corresponding sha1 code checks for the special case length == 0.
218
* That seems supoptimal, as I suspect it increases the number of branches. */
220
memcpy(ctx->block, buffer, length);
224
/* Final wrapup - pad to SHA1_DATA_SIZE-byte boundary with the bit pattern
225
1 0* (64-bit count of bits processed, MSB-first) */
227
void sha256_final(struct sha256_ctx *ctx)
229
uint32_t data[SHA256_DATA_LENGTH];
235
/* Set the first char of padding to 0x80. This is safe since there is
236
always at least one byte free */
238
/* assert(i < SHA256_DATA_SIZE);
240
ctx->block[i++] = 0x80;
242
/* Fill rest of word */
246
/* i is now a multiple of the word size 4 */
248
for (i = 0; i < words; i++)
249
data[i] = STRING2INT(ctx->block + 4 * i);
251
if (words > (SHA256_DATA_LENGTH - 2)) { /* No room for length in this block. Process it and
252
* pad with another one */
253
for (i = words; i < SHA256_DATA_LENGTH; i++)
255
sha256_transform(ctx->state, data);
256
for (i = 0; i < (SHA256_DATA_LENGTH - 2); i++)
259
for (i = words; i < SHA256_DATA_LENGTH - 2; i++)
262
/* There are 512 = 2^9 bits in one block */
263
data[SHA256_DATA_LENGTH - 2] =
264
(ctx->count_high << 9) | (ctx->count_low >> 23);
265
data[SHA256_DATA_LENGTH - 1] =
266
(ctx->count_low << 9) | (ctx->index << 3);
267
sha256_transform(ctx->state, data);
270
void sha256_digest(const struct sha256_ctx *ctx, unsigned char *s)
275
for (i = 0; i < _SHA256_DIGEST_LENGTH; i++) {
276
*s++ = ctx->state[i] >> 24;
277
*s++ = 0xff & (ctx->state[i] >> 16);
278
*s++ = 0xff & (ctx->state[i] >> 8);
279
*s++ = 0xff & ctx->state[i];