/src/wget/lib/sha256.c

Source (jump to first uncovered line)
/* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or
   memory blocks according to the NIST specification FIPS-180-2.

   Copyright (C) 2005-2006, 2008-2023 Free Software Foundation, Inc.

   This file is free software: you can redistribute it and/or modify
   it under the terms of the GNU Lesser General Public License as
   published by the Free Software Foundation; either version 2.1 of the
   License, or (at your option) any later version.

   This file is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU Lesser General Public License for more details.

   You should have received a copy of the GNU Lesser General Public License
   along with this program.  If not, see <https://www.gnu.org/licenses/>.  */

/* Written by David Madore, considerably copypasting from
   Scott G. Miller's sha1.c
*/

#include <config.h>

/* Specification.  */
#if HAVE_OPENSSL_SHA256
# define GL_OPENSSL_INLINE _GL_EXTERN_INLINE
#endif
#include "sha256.h"

#include <stdint.h>
#include <string.h>

#include <byteswap.h>
#ifdef WORDS_BIGENDIAN
# define SWAP(n) (n)
#else
# define SWAP(n) bswap_32 (n)
#endif

#if ! HAVE_OPENSSL_SHA256

/* This array contains the bytes used to pad the buffer to the next
   64-byte boundary.  */
static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ...  */ };


/*
  Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
  initializes it to the start constants of the SHA256 algorithm.  This
  must be called before using hash in the call to sha256_hash
*/
void
sha256_init_ctx (struct sha256_ctx *ctx)
{
  ctx->state[0] = 0x6a09e667UL;
  ctx->state[1] = 0xbb67ae85UL;
  ctx->state[2] = 0x3c6ef372UL;
  ctx->state[3] = 0xa54ff53aUL;
  ctx->state[4] = 0x510e527fUL;
  ctx->state[5] = 0x9b05688cUL;
  ctx->state[6] = 0x1f83d9abUL;
  ctx->state[7] = 0x5be0cd19UL;

  ctx->total[0] = ctx->total[1] = 0;
  ctx->buflen = 0;
}

void
sha224_init_ctx (struct sha256_ctx *ctx)
{
  ctx->state[0] = 0xc1059ed8UL;
  ctx->state[1] = 0x367cd507UL;
  ctx->state[2] = 0x3070dd17UL;
  ctx->state[3] = 0xf70e5939UL;
  ctx->state[4] = 0xffc00b31UL;
  ctx->state[5] = 0x68581511UL;
  ctx->state[6] = 0x64f98fa7UL;
  ctx->state[7] = 0xbefa4fa4UL;

  ctx->total[0] = ctx->total[1] = 0;
  ctx->buflen = 0;
}

/* Copy the value from v into the memory location pointed to by *CP,
   If your architecture allows unaligned access, this is equivalent to
   * (__typeof__ (v) *) cp = v  */
static void
set_uint32 (char *cp, uint32_t v)
{
  memcpy (cp, &v, sizeof v);
}

/* Put result from CTX in first 32 bytes following RESBUF.
   The result must be in little endian byte order.  */
void *
sha256_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
{
  int i;
  char *r = resbuf;

  for (i = 0; i < 8; i++)
    set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));

  return resbuf;
}

void *
sha224_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
{
  int i;
  char *r = resbuf;

  for (i = 0; i < 7; i++)
    set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));

  return resbuf;
}

/* Process the remaining bytes in the internal buffer and the usual
   prolog according to the standard and write the result to RESBUF.  */
static void
sha256_conclude_ctx (struct sha256_ctx *ctx)
{
  /* Take yet unprocessed bytes into account.  */
  size_t bytes = ctx->buflen;
  size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;

  /* Now count remaining bytes.  */
  ctx->total[0] += bytes;
  if (ctx->total[0] < bytes)
    ++ctx->total[1];

  /* Put the 64-bit file length in *bits* at the end of the buffer.
     Use set_uint32 rather than a simple assignment, to avoid risk of
     unaligned access.  */
  set_uint32 ((char *) &ctx->buffer[size - 2],
              SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29)));
  set_uint32 ((char *) &ctx->buffer[size - 1],
              SWAP (ctx->total[0] << 3));

  memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);

  /* Process last bytes.  */
  sha256_process_block (ctx->buffer, size * 4, ctx);
}

void *
sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
{
  sha256_conclude_ctx (ctx);
  return sha256_read_ctx (ctx, resbuf);
}

void *
sha224_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
{
  sha256_conclude_ctx (ctx);
  return sha224_read_ctx (ctx, resbuf);
}

/* Compute SHA256 message digest for LEN bytes beginning at BUFFER.  The
   result is always in little endian byte order, so that a byte-wise
   output yields to the wanted ASCII representation of the message
   digest.  */
void *
sha256_buffer (const char *buffer, size_t len, void *resblock)
{
  struct sha256_ctx ctx;

  /* Initialize the computation context.  */
  sha256_init_ctx (&ctx);

  /* Process whole buffer but last len % 64 bytes.  */
  sha256_process_bytes (buffer, len, &ctx);

  /* Put result in desired memory area.  */
  return sha256_finish_ctx (&ctx, resblock);
}

void *
sha224_buffer (const char *buffer, size_t len, void *resblock)
{
  struct sha256_ctx ctx;

  /* Initialize the computation context.  */
  sha224_init_ctx (&ctx);

  /* Process whole buffer but last len % 64 bytes.  */
  sha256_process_bytes (buffer, len, &ctx);

  /* Put result in desired memory area.  */
  return sha224_finish_ctx (&ctx, resblock);
}

void
sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
{
  /* When we already have some bits in our internal buffer concatenate
     both inputs first.  */
  if (ctx->buflen != 0)
    {
      size_t left_over = ctx->buflen;
      size_t add = 128 - left_over > len ? len : 128 - left_over;

      memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
      ctx->buflen += add;

      if (ctx->buflen > 64)
        {
          sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);

          ctx->buflen &= 63;
          /* The regions in the following copy operation cannot overlap,
             because ctx->buflen < 64 ≤ (left_over + add) & ~63.  */
          memcpy (ctx->buffer,
                  &((char *) ctx->buffer)[(left_over + add) & ~63],
                  ctx->buflen);
        }

      buffer = (const char *) buffer + add;
      len -= add;
    }

  /* Process available complete blocks.  */
  if (len >= 64)
    {
#if !(_STRING_ARCH_unaligned || _STRING_INLINE_unaligned)
# define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (uint32_t) != 0)
      if (UNALIGNED_P (buffer))
        while (len > 64)
          {
            sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
            buffer = (const char *) buffer + 64;
            len -= 64;
          }
      else
#endif
        {
          sha256_process_block (buffer, len & ~63, ctx);
          buffer = (const char *) buffer + (len & ~63);
          len &= 63;
        }
    }

  /* Move remaining bytes in internal buffer.  */
  if (len > 0)
    {
      size_t left_over = ctx->buflen;

      memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
      left_over += len;
      if (left_over >= 64)
        {
          sha256_process_block (ctx->buffer, 64, ctx);
          left_over -= 64;
          /* The regions in the following copy operation cannot overlap,
             because left_over ≤ 64.  */
          memcpy (ctx->buffer, &ctx->buffer[16], left_over);
        }
      ctx->buflen = left_over;
    }
}

/* --- Code below is the primary difference between sha1.c and sha256.c --- */

/* SHA256 round constants */
#define K(I) sha256_round_constants[I]
static const uint32_t sha256_round_constants[64] = {
  0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
  0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
  0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
  0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
  0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
  0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
  0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
  0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
  0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
  0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
  0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
  0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
  0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
  0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
  0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
  0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
};

/* Round functions.  */
#define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) )
#define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) )

/* Process LEN bytes of BUFFER, accumulating context into CTX.
   It is assumed that LEN % 64 == 0.
   Most of this code comes from GnuPG's cipher/sha1.c.  */

void
sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
{
  const uint32_t *words = buffer;
  size_t nwords = len / sizeof (uint32_t);
  const uint32_t *endp = words + nwords;
  uint32_t x[16];
  uint32_t a = ctx->state[0];
  uint32_t b = ctx->state[1];
  uint32_t c = ctx->state[2];
  uint32_t d = ctx->state[3];
  uint32_t e = ctx->state[4];
  uint32_t f = ctx->state[5];
  uint32_t g = ctx->state[6];
  uint32_t h = ctx->state[7];
  uint32_t lolen = len;

  /* First increment the byte count.  FIPS PUB 180-2 specifies the possible
     length of the file up to 2^64 bits.  Here we only compute the
     number of bytes.  Do a double word increment.  */
  ctx->total[0] += lolen;
  ctx->total[1] += (len >> 31 >> 1) + (ctx->total[0] < lolen);

#define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
#define S0(x) (rol(x,25)^rol(x,14)^(x>>3))
#define S1(x) (rol(x,15)^rol(x,13)^(x>>10))
#define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10))
#define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7))

#define M(I) ( tm =   S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \
                    + S0(x[(I-15)&0x0f]) + x[I&0x0f]    \
               , x[I&0x0f] = tm )

#define R(A,B,C,D,E,F,G,H,K,M)  do { t0 = SS0(A) + F2(A,B,C); \
                                     t1 = H + SS1(E)  \
                                      + F1(E,F,G)     \
                                      + K             \
                                      + M;            \
                                     D += t1;  H = t0 + t1; \
                               } while(0)

  while (words < endp)
    {
      uint32_t tm;
      uint32_t t0, t1;
      int t;
      /* FIXME: see sha1.c for a better implementation.  */
      for (t = 0; t < 16; t++)
        {
          x[t] = SWAP (*words);
          words++;
        }

      R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
      R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
      R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
      R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
      R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
      R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
      R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
      R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
      R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
      R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
      R( g, h, a, b, c, d, e, f, K(10), x[10] );
      R( f, g, h, a, b, c, d, e, K(11), x[11] );
      R( e, f, g, h, a, b, c, d, K(12), x[12] );
      R( d, e, f, g, h, a, b, c, K(13), x[13] );
      R( c, d, e, f, g, h, a, b, K(14), x[14] );
      R( b, c, d, e, f, g, h, a, K(15), x[15] );
      R( a, b, c, d, e, f, g, h, K(16), M(16) );
      R( h, a, b, c, d, e, f, g, K(17), M(17) );
      R( g, h, a, b, c, d, e, f, K(18), M(18) );
      R( f, g, h, a, b, c, d, e, K(19), M(19) );
      R( e, f, g, h, a, b, c, d, K(20), M(20) );
      R( d, e, f, g, h, a, b, c, K(21), M(21) );
      R( c, d, e, f, g, h, a, b, K(22), M(22) );
      R( b, c, d, e, f, g, h, a, K(23), M(23) );
      R( a, b, c, d, e, f, g, h, K(24), M(24) );
      R( h, a, b, c, d, e, f, g, K(25), M(25) );
      R( g, h, a, b, c, d, e, f, K(26), M(26) );
      R( f, g, h, a, b, c, d, e, K(27), M(27) );
      R( e, f, g, h, a, b, c, d, K(28), M(28) );
      R( d, e, f, g, h, a, b, c, K(29), M(29) );
      R( c, d, e, f, g, h, a, b, K(30), M(30) );
      R( b, c, d, e, f, g, h, a, K(31), M(31) );
      R( a, b, c, d, e, f, g, h, K(32), M(32) );
      R( h, a, b, c, d, e, f, g, K(33), M(33) );
      R( g, h, a, b, c, d, e, f, K(34), M(34) );
      R( f, g, h, a, b, c, d, e, K(35), M(35) );
      R( e, f, g, h, a, b, c, d, K(36), M(36) );
      R( d, e, f, g, h, a, b, c, K(37), M(37) );
      R( c, d, e, f, g, h, a, b, K(38), M(38) );
      R( b, c, d, e, f, g, h, a, K(39), M(39) );
      R( a, b, c, d, e, f, g, h, K(40), M(40) );
      R( h, a, b, c, d, e, f, g, K(41), M(41) );
      R( g, h, a, b, c, d, e, f, K(42), M(42) );
      R( f, g, h, a, b, c, d, e, K(43), M(43) );
      R( e, f, g, h, a, b, c, d, K(44), M(44) );
      R( d, e, f, g, h, a, b, c, K(45), M(45) );
      R( c, d, e, f, g, h, a, b, K(46), M(46) );
      R( b, c, d, e, f, g, h, a, K(47), M(47) );
      R( a, b, c, d, e, f, g, h, K(48), M(48) );
      R( h, a, b, c, d, e, f, g, K(49), M(49) );
      R( g, h, a, b, c, d, e, f, K(50), M(50) );
      R( f, g, h, a, b, c, d, e, K(51), M(51) );
      R( e, f, g, h, a, b, c, d, K(52), M(52) );
      R( d, e, f, g, h, a, b, c, K(53), M(53) );
      R( c, d, e, f, g, h, a, b, K(54), M(54) );
      R( b, c, d, e, f, g, h, a, K(55), M(55) );
      R( a, b, c, d, e, f, g, h, K(56), M(56) );
      R( h, a, b, c, d, e, f, g, K(57), M(57) );
      R( g, h, a, b, c, d, e, f, K(58), M(58) );
      R( f, g, h, a, b, c, d, e, K(59), M(59) );
      R( e, f, g, h, a, b, c, d, K(60), M(60) );
      R( d, e, f, g, h, a, b, c, K(61), M(61) );
      R( c, d, e, f, g, h, a, b, K(62), M(62) );
      R( b, c, d, e, f, g, h, a, K(63), M(63) );

      a = ctx->state[0] += a;
      b = ctx->state[1] += b;
      c = ctx->state[2] += c;
      d = ctx->state[3] += d;
      e = ctx->state[4] += e;
      f = ctx->state[5] += f;
      g = ctx->state[6] += g;
      h = ctx->state[7] += h;
    }
}

#endif

/*
 * Hey Emacs!
 * Local Variables:
 * coding: utf-8
 * End:
 */

Coverage Report

Created: 2023-03-26 07:33

Line	Count	Source (jump to first uncovered line)
1		/* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or
2		memory blocks according to the NIST specification FIPS-180-2.
3
4		Copyright (C) 2005-2006, 2008-2023 Free Software Foundation, Inc.
5
6		This file is free software: you can redistribute it and/or modify
7		it under the terms of the GNU Lesser General Public License as
8		published by the Free Software Foundation; either version 2.1 of the
9		License, or (at your option) any later version.
10
11		This file is distributed in the hope that it will be useful,
12		but WITHOUT ANY WARRANTY; without even the implied warranty of
13		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14		GNU Lesser General Public License for more details.
15
16		You should have received a copy of the GNU Lesser General Public License
17		along with this program. If not, see <https://www.gnu.org/licenses/>. */
18
19		/* Written by David Madore, considerably copypasting from
20		Scott G. Miller's sha1.c
21		*/
22
23		#include <config.h>
24
25		/* Specification. */
26		#if HAVE_OPENSSL_SHA256
27		# define GL_OPENSSL_INLINE _GL_EXTERN_INLINE
28		#endif
29		#include "sha256.h"
30
31		#include <stdint.h>
32		#include <string.h>
33
34		#include <byteswap.h>
35		#ifdef WORDS_BIGENDIAN
36		# define SWAP(n) (n)
37		#else
38	0	# define SWAP(n) bswap_32 (n)
39		#endif
40
41		#if ! HAVE_OPENSSL_SHA256
42
43		/* This array contains the bytes used to pad the buffer to the next
44		64-byte boundary. */
45		static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
46
47
48		/*
49		Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
50		initializes it to the start constants of the SHA256 algorithm. This
51		must be called before using hash in the call to sha256_hash
52		*/
53		void
54		sha256_init_ctx (struct sha256_ctx *ctx)
55	0	{
56	0	ctx->state[0] = 0x6a09e667UL;
57	0	ctx->state[1] = 0xbb67ae85UL;
58	0	ctx->state[2] = 0x3c6ef372UL;
59	0	ctx->state[3] = 0xa54ff53aUL;
60	0	ctx->state[4] = 0x510e527fUL;
61	0	ctx->state[5] = 0x9b05688cUL;
62	0	ctx->state[6] = 0x1f83d9abUL;
63	0	ctx->state[7] = 0x5be0cd19UL;
64
65	0	ctx->total[0] = ctx->total[1] = 0;
66	0	ctx->buflen = 0;
67	0	}
68
69		void
70		sha224_init_ctx (struct sha256_ctx *ctx)
71	0	{
72	0	ctx->state[0] = 0xc1059ed8UL;
73	0	ctx->state[1] = 0x367cd507UL;
74	0	ctx->state[2] = 0x3070dd17UL;
75	0	ctx->state[3] = 0xf70e5939UL;
76	0	ctx->state[4] = 0xffc00b31UL;
77	0	ctx->state[5] = 0x68581511UL;
78	0	ctx->state[6] = 0x64f98fa7UL;
79	0	ctx->state[7] = 0xbefa4fa4UL;
80
81	0	ctx->total[0] = ctx->total[1] = 0;
82	0	ctx->buflen = 0;
83	0	}
84
85		/* Copy the value from v into the memory location pointed to by *CP,
86		If your architecture allows unaligned access, this is equivalent to
87		* (__typeof__ (v) ) cp = v /
88		static void
89		set_uint32 (char *cp, uint32_t v)
90	0	{
91	0	memcpy (cp, &v, sizeof v);
92	0	}
93
94		/* Put result from CTX in first 32 bytes following RESBUF.
95		The result must be in little endian byte order. */
96		void *
97		sha256_read_ctx (const struct sha256_ctx ctx, void resbuf)
98	0	{
99	0	int i;
100	0	char *r = resbuf;
101
102	0	for (i = 0; i < 8; i++)
103	0	set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
104
105	0	return resbuf;
106	0	}
107
108		void *
109		sha224_read_ctx (const struct sha256_ctx ctx, void resbuf)
110	0	{
111	0	int i;
112	0	char *r = resbuf;
113
114	0	for (i = 0; i < 7; i++)
115	0	set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
116
117	0	return resbuf;
118	0	}
119
120		/* Process the remaining bytes in the internal buffer and the usual
121		prolog according to the standard and write the result to RESBUF. */
122		static void
123		sha256_conclude_ctx (struct sha256_ctx *ctx)
124	0	{
125		/* Take yet unprocessed bytes into account. */
126	0	size_t bytes = ctx->buflen;
127	0	size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
128
129		/* Now count remaining bytes. */
130	0	ctx->total[0] += bytes;
131	0	if (ctx->total[0] < bytes)
132	0	++ctx->total[1];
133
134		/* Put the 64-bit file length in bits at the end of the buffer.
135		Use set_uint32 rather than a simple assignment, to avoid risk of
136		unaligned access. */
137	0	set_uint32 ((char *) &ctx->buffer[size - 2],
138	0	SWAP ((ctx->total[1] << 3) \| (ctx->total[0] >> 29)));
139	0	set_uint32 ((char *) &ctx->buffer[size - 1],
140	0	SWAP (ctx->total[0] << 3));
141
142	0	memcpy (&((char ) ctx->buffer)[bytes], fillbuf, (size - 2) 4 - bytes);
143
144		/* Process last bytes. */
145	0	sha256_process_block (ctx->buffer, size * 4, ctx);
146	0	}
147
148		void *
149		sha256_finish_ctx (struct sha256_ctx ctx, void resbuf)
150	0	{
151	0	sha256_conclude_ctx (ctx);
152	0	return sha256_read_ctx (ctx, resbuf);
153	0	}
154
155		void *
156		sha224_finish_ctx (struct sha256_ctx ctx, void resbuf)
157	0	{
158	0	sha256_conclude_ctx (ctx);
159	0	return sha224_read_ctx (ctx, resbuf);
160	0	}
161
162		/* Compute SHA256 message digest for LEN bytes beginning at BUFFER. The
163		result is always in little endian byte order, so that a byte-wise
164		output yields to the wanted ASCII representation of the message
165		digest. */
166		void *
167		sha256_buffer (const char buffer, size_t len, void resblock)
168	0	{
169	0	struct sha256_ctx ctx;
170
171		/* Initialize the computation context. */
172	0	sha256_init_ctx (&ctx);
173
174		/* Process whole buffer but last len % 64 bytes. */
175	0	sha256_process_bytes (buffer, len, &ctx);
176
177		/* Put result in desired memory area. */
178	0	return sha256_finish_ctx (&ctx, resblock);
179	0	}
180
181		void *
182		sha224_buffer (const char buffer, size_t len, void resblock)
183	0	{
184	0	struct sha256_ctx ctx;
185
186		/* Initialize the computation context. */
187	0	sha224_init_ctx (&ctx);
188
189		/* Process whole buffer but last len % 64 bytes. */
190	0	sha256_process_bytes (buffer, len, &ctx);
191
192		/* Put result in desired memory area. */
193	0	return sha224_finish_ctx (&ctx, resblock);
194	0	}
195
196		void
197		sha256_process_bytes (const void buffer, size_t len, struct sha256_ctx ctx)
198	0	{
199		/* When we already have some bits in our internal buffer concatenate
200		both inputs first. */
201	0	if (ctx->buflen != 0)
202	0	{
203	0	size_t left_over = ctx->buflen;
204	0	size_t add = 128 - left_over > len ? len : 128 - left_over;
205
206	0	memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
207	0	ctx->buflen += add;
208
209	0	if (ctx->buflen > 64)
210	0	{
211	0	sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
212
213	0	ctx->buflen &= 63;
214		/* The regions in the following copy operation cannot overlap,
215		because ctx->buflen < 64 ≤ (left_over + add) & ~63. */
216	0	memcpy (ctx->buffer,
217	0	&((char *) ctx->buffer)[(left_over + add) & ~63],
218	0	ctx->buflen);
219	0	}
220
221	0	buffer = (const char *) buffer + add;
222	0	len -= add;
223	0	}
224
225		/* Process available complete blocks. */
226	0	if (len >= 64)
227	0	{
228	0	#if !(_STRING_ARCH_unaligned \|\| _STRING_INLINE_unaligned)
229	0	# define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (uint32_t) != 0)
230	0	if (UNALIGNED_P (buffer))
231	0	while (len > 64)
232	0	{
233	0	sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
234	0	buffer = (const char *) buffer + 64;
235	0	len -= 64;
236	0	}
237	0	else
238	0	#endif
239	0	{
240	0	sha256_process_block (buffer, len & ~63, ctx);
241	0	buffer = (const char *) buffer + (len & ~63);
242	0	len &= 63;
243	0	}
244	0	}
245
246		/* Move remaining bytes in internal buffer. */
247	0	if (len > 0)
248	0	{
249	0	size_t left_over = ctx->buflen;
250
251	0	memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
252	0	left_over += len;
253	0	if (left_over >= 64)
254	0	{
255	0	sha256_process_block (ctx->buffer, 64, ctx);
256	0	left_over -= 64;
257		/* The regions in the following copy operation cannot overlap,
258		because left_over ≤ 64. */
259	0	memcpy (ctx->buffer, &ctx->buffer[16], left_over);
260	0	}
261	0	ctx->buflen = left_over;
262	0	}
263	0	}
264
265		/* --- Code below is the primary difference between sha1.c and sha256.c --- */
266
267		/* SHA256 round constants */
268		#define K(I) sha256_round_constants[I]
269		static const uint32_t sha256_round_constants[64] = {
270		0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
271		0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
272		0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
273		0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
274		0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
275		0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
276		0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
277		0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
278		0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
279		0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
280		0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
281		0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
282		0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
283		0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
284		0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
285		0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
286		};
287
288		/* Round functions. */
289	0	#define F2(A,B,C) ( ( A & B ) \| ( C & ( A \| B ) ) )
290	0	#define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) )
291
292		/* Process LEN bytes of BUFFER, accumulating context into CTX.
293		It is assumed that LEN % 64 == 0.
294		Most of this code comes from GnuPG's cipher/sha1.c. */
295
296		void
297		sha256_process_block (const void buffer, size_t len, struct sha256_ctx ctx)
298	0	{
299	0	const uint32_t *words = buffer;
300	0	size_t nwords = len / sizeof (uint32_t);
301	0	const uint32_t *endp = words + nwords;
302	0	uint32_t x[16];
303	0	uint32_t a = ctx->state[0];
304	0	uint32_t b = ctx->state[1];
305	0	uint32_t c = ctx->state[2];
306	0	uint32_t d = ctx->state[3];
307	0	uint32_t e = ctx->state[4];
308	0	uint32_t f = ctx->state[5];
309	0	uint32_t g = ctx->state[6];
310	0	uint32_t h = ctx->state[7];
311	0	uint32_t lolen = len;
312
313		/* First increment the byte count. FIPS PUB 180-2 specifies the possible
314		length of the file up to 2^64 bits. Here we only compute the
315		number of bytes. Do a double word increment. */
316	0	ctx->total[0] += lolen;
317	0	ctx->total[1] += (len >> 31 >> 1) + (ctx->total[0] < lolen);
318
319	0	#define rol(x, n) (((x) << (n)) \| ((x) >> (32 - (n))))
320	0	#define S0(x) (rol(x,25)^rol(x,14)^(x>>3))
321	0	#define S1(x) (rol(x,15)^rol(x,13)^(x>>10))
322	0	#define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10))
323	0	#define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7))
324
325	0	#define M(I) ( tm = S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \
326	0	+ S0(x[(I-15)&0x0f]) + x[I&0x0f] \
327	0	, x[I&0x0f] = tm )
328
329	0	#define R(A,B,C,D,E,F,G,H,K,M) do { t0 = SS0(A) + F2(A,B,C); \
330	0	t1 = H + SS1(E) \
331	0	+ F1(E,F,G) \
332	0	+ K \
333	0	+ M; \
334	0	D += t1; H = t0 + t1; \
335	0	} while(0)
336
337	0	while (words < endp)
338	0	{
339	0	uint32_t tm;
340	0	uint32_t t0, t1;
341	0	int t;
342		/* FIXME: see sha1.c for a better implementation. */
343	0	for (t = 0; t < 16; t++)
344	0	{
345	0	x[t] = SWAP (*words);
346	0	words++;
347	0	}
348
349	0	R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
350	0	R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
351	0	R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
352	0	R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
353	0	R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
354	0	R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
355	0	R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
356	0	R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
357	0	R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
358	0	R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
359	0	R( g, h, a, b, c, d, e, f, K(10), x[10] );
360	0	R( f, g, h, a, b, c, d, e, K(11), x[11] );
361	0	R( e, f, g, h, a, b, c, d, K(12), x[12] );
362	0	R( d, e, f, g, h, a, b, c, K(13), x[13] );
363	0	R( c, d, e, f, g, h, a, b, K(14), x[14] );
364	0	R( b, c, d, e, f, g, h, a, K(15), x[15] );
365	0	R( a, b, c, d, e, f, g, h, K(16), M(16) );
366	0	R( h, a, b, c, d, e, f, g, K(17), M(17) );
367	0	R( g, h, a, b, c, d, e, f, K(18), M(18) );
368	0	R( f, g, h, a, b, c, d, e, K(19), M(19) );
369	0	R( e, f, g, h, a, b, c, d, K(20), M(20) );
370	0	R( d, e, f, g, h, a, b, c, K(21), M(21) );
371	0	R( c, d, e, f, g, h, a, b, K(22), M(22) );
372	0	R( b, c, d, e, f, g, h, a, K(23), M(23) );
373	0	R( a, b, c, d, e, f, g, h, K(24), M(24) );
374	0	R( h, a, b, c, d, e, f, g, K(25), M(25) );
375	0	R( g, h, a, b, c, d, e, f, K(26), M(26) );
376	0	R( f, g, h, a, b, c, d, e, K(27), M(27) );
377	0	R( e, f, g, h, a, b, c, d, K(28), M(28) );
378	0	R( d, e, f, g, h, a, b, c, K(29), M(29) );
379	0	R( c, d, e, f, g, h, a, b, K(30), M(30) );
380	0	R( b, c, d, e, f, g, h, a, K(31), M(31) );
381	0	R( a, b, c, d, e, f, g, h, K(32), M(32) );
382	0	R( h, a, b, c, d, e, f, g, K(33), M(33) );
383	0	R( g, h, a, b, c, d, e, f, K(34), M(34) );
384	0	R( f, g, h, a, b, c, d, e, K(35), M(35) );
385	0	R( e, f, g, h, a, b, c, d, K(36), M(36) );
386	0	R( d, e, f, g, h, a, b, c, K(37), M(37) );
387	0	R( c, d, e, f, g, h, a, b, K(38), M(38) );
388	0	R( b, c, d, e, f, g, h, a, K(39), M(39) );
389	0	R( a, b, c, d, e, f, g, h, K(40), M(40) );
390	0	R( h, a, b, c, d, e, f, g, K(41), M(41) );
391	0	R( g, h, a, b, c, d, e, f, K(42), M(42) );
392	0	R( f, g, h, a, b, c, d, e, K(43), M(43) );
393	0	R( e, f, g, h, a, b, c, d, K(44), M(44) );
394	0	R( d, e, f, g, h, a, b, c, K(45), M(45) );
395	0	R( c, d, e, f, g, h, a, b, K(46), M(46) );
396	0	R( b, c, d, e, f, g, h, a, K(47), M(47) );
397	0	R( a, b, c, d, e, f, g, h, K(48), M(48) );
398	0	R( h, a, b, c, d, e, f, g, K(49), M(49) );
399	0	R( g, h, a, b, c, d, e, f, K(50), M(50) );
400	0	R( f, g, h, a, b, c, d, e, K(51), M(51) );
401	0	R( e, f, g, h, a, b, c, d, K(52), M(52) );
402	0	R( d, e, f, g, h, a, b, c, K(53), M(53) );
403	0	R( c, d, e, f, g, h, a, b, K(54), M(54) );
404	0	R( b, c, d, e, f, g, h, a, K(55), M(55) );
405	0	R( a, b, c, d, e, f, g, h, K(56), M(56) );
406	0	R( h, a, b, c, d, e, f, g, K(57), M(57) );
407	0	R( g, h, a, b, c, d, e, f, K(58), M(58) );
408	0	R( f, g, h, a, b, c, d, e, K(59), M(59) );
409	0	R( e, f, g, h, a, b, c, d, K(60), M(60) );
410	0	R( d, e, f, g, h, a, b, c, K(61), M(61) );
411	0	R( c, d, e, f, g, h, a, b, K(62), M(62) );
412	0	R( b, c, d, e, f, g, h, a, K(63), M(63) );
413
414	0	a = ctx->state[0] += a;
415	0	b = ctx->state[1] += b;
416	0	c = ctx->state[2] += c;
417	0	d = ctx->state[3] += d;
418	0	e = ctx->state[4] += e;
419	0	f = ctx->state[5] += f;
420	0	g = ctx->state[6] += g;
421	0	h = ctx->state[7] += h;
422	0	}
423	0	}
424
425		#endif
426
427		/*
428		* Hey Emacs!
429		* Local Variables:
430		* coding: utf-8
431		* End:
432		*/