1.\" $NetBSD: sha2.3,v 1.8 2017/10/30 15:44:29 wiz Exp $ 2.\" $OpenBSD: sha2.3,v 1.11 2004/06/22 01:57:29 jfb Exp $ 3.\" 4.\" Copyright (c) 2003, 2004 Todd C. Miller <Todd.Miller@courtesan.com> 5.\" 6.\" Permission to use, copy, modify, and distribute this software for any 7.\" purpose with or without fee is hereby granted, provided that the above 8.\" copyright notice and this permission notice appear in all copies. 9.\" 10.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17.\" 18.\" Sponsored in part by the Defense Advanced Research Projects 19.\" Agency (DARPA) and Air Force Research Laboratory, Air Force 20.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. 21.\" 22.\" See http://www.nist.gov/sha/ for the detailed standard 23.\" 24.Dd May 20, 2009 25.Dt SHA2 3 26.Os 27.Sh NAME 28.Nm SHA224_Init , 29.Nm SHA224_Update , 30.Nm SHA224_Pad , 31.Nm SHA224_Final , 32.Nm SHA224_Transform , 33.Nm SHA224_End , 34.Nm SHA224_File , 35.Nm SHA224_FileChunk , 36.Nm SHA224_Data , 37.Nm SHA256_Init , 38.Nm SHA256_Update , 39.Nm SHA256_Pad , 40.Nm SHA256_Final , 41.Nm SHA256_Transform , 42.Nm SHA256_End , 43.Nm SHA256_File , 44.Nm SHA256_FileChunk , 45.Nm SHA256_Data , 46.Nm SHA384_Init , 47.Nm SHA384_Update , 48.Nm SHA384_Pad , 49.Nm SHA384_Final , 50.Nm SHA384_Transform , 51.Nm SHA384_End , 52.Nm SHA384_File , 53.Nm SHA384_FileChunk , 54.Nm SHA384_Data , 55.Nm SHA512_Init , 56.Nm SHA512_Update , 57.Nm SHA512_Pad , 58.Nm SHA512_Final , 59.Nm SHA512_Transform , 60.Nm SHA512_End , 61.Nm SHA512_File , 62.Nm SHA512_FileChunk , 63.Nm SHA512_Data 64.Nd calculate the NIST Secure Hash Standard (version 2) 65.Sh SYNOPSIS 66.In sys/types.h 67.In sha2.h 68.Ft void 69.Fn SHA224_Init "SHA224_CTX *context" 70.Ft void 71.Fn SHA224_Update "SHA224_CTX *context" "const uint8_t *data" "size_t len" 72.Ft void 73.Fn SHA224_Pad "SHA224_CTX *context" 74.Ft void 75.Fn SHA224_Final "uint8_t digest[SHA224_DIGEST_LENGTH]" "SHA224_CTX *context" 76.Ft void 77.Fn SHA224_Transform "uint32_t state[8]" "const uint8_t buffer[SHA224_BLOCK_LENGTH]" 78.Ft "char *" 79.Fn SHA224_End "SHA224_CTX *context" "char *buf" 80.Ft "char *" 81.Fn SHA224_File "const char *filename" "char *buf" 82.Ft "char *" 83.Fn SHA224_FileChunk "const char *filename" "char *buf" "off_t offset" "off_t length" 84.Ft "char *" 85.Fn SHA224_Data "uint8_t *data" "size_t len" "char *buf" 86.Ft void 87.Fn SHA256_Init "SHA256_CTX *context" 88.Ft void 89.Fn SHA256_Update "SHA256_CTX *context" "const uint8_t *data" "size_t len" 90.Ft void 91.Fn SHA256_Pad "SHA256_CTX *context" 92.Ft void 93.Fn SHA256_Final "uint8_t digest[SHA256_DIGEST_LENGTH]" "SHA256_CTX *context" 94.Ft void 95.Fn SHA256_Transform "uint32_t state[8]" "const uint8_t buffer[SHA256_BLOCK_LENGTH]" 96.Ft "char *" 97.Fn SHA256_End "SHA256_CTX *context" "char *buf" 98.Ft "char *" 99.Fn SHA256_File "const char *filename" "char *buf" 100.Ft "char *" 101.Fn SHA256_FileChunk "const char *filename" "char *buf" "off_t offset" "off_t length" 102.Ft "char *" 103.Fn SHA256_Data "uint8_t *data" "size_t len" "char *buf" 104.Ft void 105.Fn SHA384_Init "SHA384_CTX *context" 106.Ft void 107.Fn SHA384_Update "SHA384_CTX *context" "const uint8_t *data" "size_t len" 108.Ft void 109.Fn SHA384_Pad "SHA384_CTX *context" 110.Ft void 111.Fn SHA384_Final "uint8_t digest[SHA384_DIGEST_LENGTH]" "SHA384_CTX *context" 112.Ft void 113.Fn SHA384_Transform "uint64_t state[8]" "const uint8_t buffer[SHA384_BLOCK_LENGTH]" 114.Ft "char *" 115.Fn SHA384_End "SHA384_CTX *context" "char *buf" 116.Ft "char *" 117.Fn SHA384_File "char *filename" "char *buf" 118.Ft "char *" 119.Fn SHA384_FileChunk "char *filename" "char *buf" "off_t offset" "off_t length" 120.Ft "char *" 121.Fn SHA384_Data "uint8_t *data" "size_t len" "char *buf" 122.Ft void 123.Fn SHA512_Init "SHA512_CTX *context" 124.Ft void 125.Fn SHA512_Update "SHA512_CTX *context" "const uint8_t *data" "size_t len" 126.Ft void 127.Fn SHA512_Pad "SHA512_CTX *context" 128.Ft void 129.Fn SHA512_Final "uint8_t digest[SHA512_DIGEST_LENGTH]" "SHA512_CTX *context" 130.Ft void 131.Fn SHA512_Transform "uint64_t state[8]" "const uint8_t buffer[SHA512_BLOCK_LENGTH]" 132.Ft "char *" 133.Fn SHA512_End "SHA512_CTX *context" "char *buf" 134.Ft "char *" 135.Fn SHA512_File "char *filename" "char *buf" 136.Ft "char *" 137.Fn SHA512_FileChunk "char *filename" "char *buf" "off_t offset" "off_t length" 138.Ft "char *" 139.Fn SHA512_Data "uint8_t *data" "size_t len" "char *buf" 140.Sh DESCRIPTION 141The SHA2 functions implement the NIST Secure Hash Standard, 142FIPS PUB 180-2. 143The SHA2 functions are used to generate a condensed representation of a 144message called a message digest, suitable for use as a digital signature. 145There are four families of functions, with names corresponding to 146the number of bits in the resulting message digest. 147The SHA-224 and SHA-256 functions are limited to processing a message of less 148than 2^64 bits as input. 149The SHA-384 and SHA-512 functions can process a message of at most 2^128 - 1 150bits as input. 151.Pp 152The SHA2 functions are considered to be more secure than the 153.Xr sha1 3 154functions with which they share a similar interface. 155The 224, 256, 384, and 512-bit versions of SHA2 share the same interface. 156For brevity, only the 256-bit variants are described below. 157.Pp 158The 159.Fn SHA256_Init 160function initializes a SHA256_CTX 161.Ar context 162for use with 163.Fn SHA256_Update , 164and 165.Fn SHA256_Final . 166The 167.Fn SHA256_Update 168function adds 169.Ar data 170of length 171.Ar len 172to the SHA256_CTX specified by 173.Ar context . 174.Fn SHA256_Final 175is called when all data has been added via 176.Fn SHA256_Update 177and stores a message digest in the 178.Ar digest 179parameter. 180.Pp 181The 182.Fn SHA256_Pad 183function can be used to apply padding to the message digest as in 184.Fn SHA256_Final , 185but the current context can still be used with 186.Fn SHA256_Update . 187.Pp 188The 189.Fn SHA256_Transform 190function is used by 191.Fn SHA256_Update 192to hash 512-bit blocks and forms the core of the algorithm. 193Most programs should use the interface provided by 194.Fn SHA256_Init , 195.Fn SHA256_Update , 196and 197.Fn SHA256_Final 198instead of calling 199.Fn SHA256_Transform 200directly. 201.Pp 202The 203.Fn SHA256_End 204function is a front end for 205.Fn SHA256_Final 206which converts the digest into an ASCII representation of the digest 207in hexadecimal. 208.Pp 209The 210.Fn SHA256_File 211function calculates the digest for a file and returns the result via 212.Fn SHA256_End . 213If 214.Fn SHA256_File 215is unable to open the file, a 216.Dv NULL 217pointer is returned. 218.Pp 219.Fn SHA256_FileChunk 220behaves like 221.Fn SHA256_File 222but calculates the digest only for that portion of the file starting at 223.Fa offset 224and continuing for 225.Fa length 226bytes or until end of file is reached, whichever comes first. 227A zero 228.Fa length 229can be specified to read until end of file. 230A negative 231.Fa length 232or 233.Fa offset 234will be ignored. 235.Pp 236The 237.Fn SHA256_Data 238function 239calculates the digest of an arbitrary string and returns the result via 240.Fn SHA256_End . 241.Pp 242For each of the 243.Fn SHA256_End , 244.Fn SHA256_File , 245.Fn SHA256_FileChunk , 246and 247.Fn SHA256_Data 248functions the 249.Ar buf 250parameter should either be a string large enough to hold the resulting digest 251(e.g., 252.Ev SHA224_DIGEST_STRING_LENGTH , 253.Ev SHA256_DIGEST_STRING_LENGTH , 254.Ev SHA384_DIGEST_STRING_LENGTH , 255or 256.Ev SHA512_DIGEST_STRING_LENGTH , 257depending on the function being used) 258or a 259.Dv NULL 260pointer. 261In the latter case, space will be dynamically allocated via 262.Xr malloc 3 263and should be freed using 264.Xr free 3 265when it is no longer needed. 266.Sh EXAMPLES 267The following code fragment will calculate the SHA-256 digest for the string 268.Qq abc , 269which is 270.Dq 0xba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad . 271.Bd -literal -offset indent 272SHA256_CTX ctx; 273uint8_t results[SHA256_DIGEST_LENGTH]; 274char *buf; 275int n; 276 277buf = "abc"; 278n = strlen(buf); 279SHA256_Init(&ctx); 280SHA256_Update(&ctx, (uint8_t *)buf, n); 281SHA256_Final(results, &ctx); 282 283/* Print the digest as one long hex value */ 284printf("0x"); 285for (n = 0; n < SHA256_DIGEST_LENGTH; n++) 286 printf("%02x", results[n]); 287putchar('\en'); 288.Ed 289.Pp 290Alternately, the helper functions could be used in the following way: 291.Bd -literal -offset indent 292SHA256_CTX ctx; 293uint8_t output[SHA256_DIGEST_STRING_LENGTH]; 294char *buf = "abc"; 295 296printf("0x%s\en", SHA256_Data(buf, strlen(buf), output)); 297.Ed 298.Sh SEE ALSO 299.Xr cksum 1 , 300.Xr md4 3 , 301.Xr md5 3 , 302.Xr rmd160 3 , 303.Xr sha1 3 304.Rs 305.%T Secure Hash Standard 306.%O FIPS PUB 180-2 307.Re 308.Sh HISTORY 309The SHA2 functions appeared in 310.Ox 3.4 311and 312.Nx 3.0 . 313.Sh AUTHORS 314.An -nosplit 315This implementation of the SHA functions was written by 316.An Aaron D. Gifford . 317.Pp 318The 319.Fn SHA256_End , 320.Fn SHA256_File , 321.Fn SHA256_FileChunk , 322and 323.Fn SHA256_Data 324helper functions are derived from code written by 325.An Poul-Henning Kamp . 326.Sh CAVEATS 327This implementation of the Secure Hash Standard has not been validated by 328NIST and as such is not in official compliance with the standard. 329.Pp 330If a message digest is to be copied to a multi-byte type (i.e.: 331an array of five 32-bit integers) it will be necessary to 332perform byte swapping on little endian machines such as the i386, alpha, 333and vax. 334