projects / project / opkg-lede.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Use uppercase M for printing maintainer field, to be consistent.
[project/opkg-lede.git] / libopkg / sha256.c
1 /* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
3
4 Copyright (C) 2005, 2006, 2008 Free Software Foundation, Inc.
5
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>. */
18
19 /* Written by David Madore, considerably copypasting from
20 Scott G. Miller's sha1.c
21 */
22
23 #include <config.h>
24
25 #include "sha256.h"
26
27 #include <stddef.h>
28 #include <string.h>
29
30 #if USE_UNLOCKED_IO
31 # include "unlocked-io.h"
32 #endif
33
34 #ifdef WORDS_BIGENDIAN
35 # define SWAP(n) (n)
36 #else
37 # define SWAP(n) \
38 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
39 #endif
40
41 #define BLOCKSIZE 4096
42 #if BLOCKSIZE % 64 != 0
43 # error "invalid BLOCKSIZE"
44 #endif
45
46 /* This array contains the bytes used to pad the buffer to the next
47 64-byte boundary. */
48 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
49
50
51 /*
52 Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
53 intializes it to the start constants of the SHA256 algorithm. This
54 must be called before using hash in the call to sha256_hash
55 */
56 void
57 sha256_init_ctx (struct sha256_ctx *ctx)
58 {
59 ctx->state[0] = 0x6a09e667UL;
60 ctx->state[1] = 0xbb67ae85UL;
61 ctx->state[2] = 0x3c6ef372UL;
62 ctx->state[3] = 0xa54ff53aUL;
63 ctx->state[4] = 0x510e527fUL;
64 ctx->state[5] = 0x9b05688cUL;
65 ctx->state[6] = 0x1f83d9abUL;
66 ctx->state[7] = 0x5be0cd19UL;
67
68 ctx->total[0] = ctx->total[1] = 0;
69 ctx->buflen = 0;
70 }
71
72 void
73 sha224_init_ctx (struct sha256_ctx *ctx)
74 {
75 ctx->state[0] = 0xc1059ed8UL;
76 ctx->state[1] = 0x367cd507UL;
77 ctx->state[2] = 0x3070dd17UL;
78 ctx->state[3] = 0xf70e5939UL;
79 ctx->state[4] = 0xffc00b31UL;
80 ctx->state[5] = 0x68581511UL;
81 ctx->state[6] = 0x64f98fa7UL;
82 ctx->state[7] = 0xbefa4fa4UL;
83
84 ctx->total[0] = ctx->total[1] = 0;
85 ctx->buflen = 0;
86 }
87
88 /* Copy the value from v into the memory location pointed to by *cp,
89 If your architecture allows unaligned access this is equivalent to
90 * (uint32_t *) cp = v */
91 static inline void
92 set_uint32 (char *cp, uint32_t v)
93 {
94 memcpy (cp, &v, sizeof v);
95 }
96
97 /* Put result from CTX in first 32 bytes following RESBUF. The result
98 must be in little endian byte order. */
99 void *
100 sha256_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
101 {
102 int i;
103 char *r = resbuf;
104
105 for (i = 0; i < 8; i++)
106 set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
107
108 return resbuf;
109 }
110
111 void *
112 sha224_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
113 {
114 int i;
115 char *r = resbuf;
116
117 for (i = 0; i < 7; i++)
118 set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
119
120 return resbuf;
121 }
122
123 /* Process the remaining bytes in the internal buffer and the usual
124 prolog according to the standard and write the result to RESBUF. */
125 static void
126 sha256_conclude_ctx (struct sha256_ctx *ctx)
127 {
128 /* Take yet unprocessed bytes into account. */
129 size_t bytes = ctx->buflen;
130 size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
131
132 /* Now count remaining bytes. */
133 ctx->total[0] += bytes;
134 if (ctx->total[0] < bytes)
135 ++ctx->total[1];
136
137 /* Put the 64-bit file length in *bits* at the end of the buffer.
138 Use set_uint32 rather than a simple assignment, to avoid risk of
139 unaligned access. */
140 set_uint32 ((char *) &ctx->buffer[size - 2],
141 SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29)));
142 set_uint32 ((char *) &ctx->buffer[size - 1],
143 SWAP (ctx->total[0] << 3));
144
145 memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
146
147 /* Process last bytes. */
148 sha256_process_block (ctx->buffer, size * 4, ctx);
149 }
150
151 void *
152 sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
153 {
154 sha256_conclude_ctx (ctx);
155 return sha256_read_ctx (ctx, resbuf);
156 }
157
158 void *
159 sha224_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
160 {
161 sha256_conclude_ctx (ctx);
162 return sha224_read_ctx (ctx, resbuf);
163 }
164
165 /* Compute SHA256 message digest for bytes read from STREAM. The
166 resulting message digest number will be written into the 32 bytes
167 beginning at RESBLOCK. */
168 int
169 sha256_stream (FILE *stream, void *resblock)
170 {
171 struct sha256_ctx ctx;
172 char buffer[BLOCKSIZE + 72];
173 size_t sum;
174
175 /* Initialize the computation context. */
176 sha256_init_ctx (&ctx);
177
178 /* Iterate over full file contents. */
179 while (1)
180 {
181 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
182 computation function processes the whole buffer so that with the
183 next round of the loop another block can be read. */
184 size_t n;
185 sum = 0;
186
187 /* Read block. Take care for partial reads. */
188 while (1)
189 {
190 n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
191
192 sum += n;
193
194 if (sum == BLOCKSIZE)
195 break;
196
197 if (n == 0)
198 {
199 /* Check for the error flag IFF N == 0, so that we don't
200 exit the loop after a partial read due to e.g., EAGAIN
201 or EWOULDBLOCK. */
202 if (ferror (stream))
203 return 1;
204 goto process_partial_block;
205 }
206
207 /* We've read at least one byte, so ignore errors. But always
208 check for EOF, since feof may be true even though N > 0.
209 Otherwise, we could end up calling fread after EOF. */
210 if (feof (stream))
211 goto process_partial_block;
212 }
213
214 /* Process buffer with BLOCKSIZE bytes. Note that
215 BLOCKSIZE % 64 == 0
216 */
217 sha256_process_block (buffer, BLOCKSIZE, &ctx);
218 }
219
220 process_partial_block:;
221
222 /* Process any remaining bytes. */
223 if (sum > 0)
224 sha256_process_bytes (buffer, sum, &ctx);
225
226 /* Construct result in desired memory. */
227 sha256_finish_ctx (&ctx, resblock);
228 return 0;
229 }
230
231 /* FIXME: Avoid code duplication */
232 int
233 sha224_stream (FILE *stream, void *resblock)
234 {
235 struct sha256_ctx ctx;
236 char buffer[BLOCKSIZE + 72];
237 size_t sum;
238
239 /* Initialize the computation context. */
240 sha224_init_ctx (&ctx);
241
242 /* Iterate over full file contents. */
243 while (1)
244 {
245 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
246 computation function processes the whole buffer so that with the
247 next round of the loop another block can be read. */
248 size_t n;
249 sum = 0;
250
251 /* Read block. Take care for partial reads. */
252 while (1)
253 {
254 n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
255
256 sum += n;
257
258 if (sum == BLOCKSIZE)
259 break;
260
261 if (n == 0)
262 {
263 /* Check for the error flag IFF N == 0, so that we don't
264 exit the loop after a partial read due to e.g., EAGAIN
265 or EWOULDBLOCK. */
266 if (ferror (stream))
267 return 1;
268 goto process_partial_block;
269 }
270
271 /* We've read at least one byte, so ignore errors. But always
272 check for EOF, since feof may be true even though N > 0.
273 Otherwise, we could end up calling fread after EOF. */
274 if (feof (stream))
275 goto process_partial_block;
276 }
277
278 /* Process buffer with BLOCKSIZE bytes. Note that
279 BLOCKSIZE % 64 == 0
280 */
281 sha256_process_block (buffer, BLOCKSIZE, &ctx);
282 }
283
284 process_partial_block:;
285
286 /* Process any remaining bytes. */
287 if (sum > 0)
288 sha256_process_bytes (buffer, sum, &ctx);
289
290 /* Construct result in desired memory. */
291 sha224_finish_ctx (&ctx, resblock);
292 return 0;
293 }
294
295 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The
296 result is always in little endian byte order, so that a byte-wise
297 output yields to the wanted ASCII representation of the message
298 digest. */
299 void *
300 sha256_buffer (const char *buffer, size_t len, void *resblock)
301 {
302 struct sha256_ctx ctx;
303
304 /* Initialize the computation context. */
305 sha256_init_ctx (&ctx);
306
307 /* Process whole buffer but last len % 64 bytes. */
308 sha256_process_bytes (buffer, len, &ctx);
309
310 /* Put result in desired memory area. */
311 return sha256_finish_ctx (&ctx, resblock);
312 }
313
314 void *
315 sha224_buffer (const char *buffer, size_t len, void *resblock)
316 {
317 struct sha256_ctx ctx;
318
319 /* Initialize the computation context. */
320 sha224_init_ctx (&ctx);
321
322 /* Process whole buffer but last len % 64 bytes. */
323 sha256_process_bytes (buffer, len, &ctx);
324
325 /* Put result in desired memory area. */
326 return sha224_finish_ctx (&ctx, resblock);
327 }
328
329 void
330 sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
331 {
332 /* When we already have some bits in our internal buffer concatenate
333 both inputs first. */
334 if (ctx->buflen != 0)
335 {
336 size_t left_over = ctx->buflen;
337 size_t add = 128 - left_over > len ? len : 128 - left_over;
338
339 memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
340 ctx->buflen += add;
341
342 if (ctx->buflen > 64)
343 {
344 sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
345
346 ctx->buflen &= 63;
347 /* The regions in the following copy operation cannot overlap. */
348 memcpy (ctx->buffer,
349 &((char *) ctx->buffer)[(left_over + add) & ~63],
350 ctx->buflen);
351 }
352
353 buffer = (const char *) buffer + add;
354 len -= add;
355 }
356
357 /* Process available complete blocks. */
358 if (len >= 64)
359 {
360 #if !_STRING_ARCH_unaligned
361 # define alignof(type) offsetof (struct { char c; type x; }, x)
362 # define UNALIGNED_P(p) (((size_t) p) % alignof (uint32_t) != 0)
363 if (UNALIGNED_P (buffer))
364 while (len > 64)
365 {
366 sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
367 buffer = (const char *) buffer + 64;
368 len -= 64;
369 }
370 else
371 #endif
372 {
373 sha256_process_block (buffer, len & ~63, ctx);
374 buffer = (const char *) buffer + (len & ~63);
375 len &= 63;
376 }
377 }
378
379 /* Move remaining bytes in internal buffer. */
380 if (len > 0)
381 {
382 size_t left_over = ctx->buflen;
383
384 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
385 left_over += len;
386 if (left_over >= 64)
387 {
388 sha256_process_block (ctx->buffer, 64, ctx);
389 left_over -= 64;
390 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
391 }
392 ctx->buflen = left_over;
393 }
394 }
395
396 /* --- Code below is the primary difference between sha1.c and sha256.c --- */
397
398 /* SHA256 round constants */
399 #define K(I) sha256_round_constants[I]
400 static const uint32_t sha256_round_constants[64] = {
401 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
402 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
403 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
404 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
405 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
406 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
407 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
408 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
409 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
410 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
411 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
412 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
413 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
414 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
415 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
416 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
417 };
418
419 /* Round functions. */
420 #define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) )
421 #define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) )
422
423 /* Process LEN bytes of BUFFER, accumulating context into CTX.
424 It is assumed that LEN % 64 == 0.
425 Most of this code comes from GnuPG's cipher/sha1.c. */
426
427 void
428 sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
429 {
430 const uint32_t *words = buffer;
431 size_t nwords = len / sizeof (uint32_t);
432 const uint32_t *endp = words + nwords;
433 uint32_t x[16];
434 uint32_t a = ctx->state[0];
435 uint32_t b = ctx->state[1];
436 uint32_t c = ctx->state[2];
437 uint32_t d = ctx->state[3];
438 uint32_t e = ctx->state[4];
439 uint32_t f = ctx->state[5];
440 uint32_t g = ctx->state[6];
441 uint32_t h = ctx->state[7];
442
443 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
444 length of the file up to 2^64 bits. Here we only compute the
445 number of bytes. Do a double word increment. */
446 ctx->total[0] += len;
447 if (ctx->total[0] < len)
448 ++ctx->total[1];
449
450 #define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
451 #define S0(x) (rol(x,25)^rol(x,14)^(x>>3))
452 #define S1(x) (rol(x,15)^rol(x,13)^(x>>10))
453 #define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10))
454 #define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7))
455
456 #define M(I) ( tm = S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \
457 + S0(x[(I-15)&0x0f]) + x[I&0x0f] \
458 , x[I&0x0f] = tm )
459
460 #define R(A,B,C,D,E,F,G,H,K,M) do { t0 = SS0(A) + F2(A,B,C); \
461 t1 = H + SS1(E) \
462 + F1(E,F,G) \
463 + K \
464 + M; \
465 D += t1; H = t0 + t1; \
466 } while(0)
467
468 while (words < endp)
469 {
470 uint32_t tm;
471 uint32_t t0, t1;
472 int t;
473 /* FIXME: see sha1.c for a better implementation. */
474 for (t = 0; t < 16; t++)
475 {
476 x[t] = SWAP (*words);
477 words++;
478 }
479
480 R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
481 R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
482 R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
483 R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
484 R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
485 R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
486 R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
487 R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
488 R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
489 R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
490 R( g, h, a, b, c, d, e, f, K(10), x[10] );
491 R( f, g, h, a, b, c, d, e, K(11), x[11] );
492 R( e, f, g, h, a, b, c, d, K(12), x[12] );
493 R( d, e, f, g, h, a, b, c, K(13), x[13] );
494 R( c, d, e, f, g, h, a, b, K(14), x[14] );
495 R( b, c, d, e, f, g, h, a, K(15), x[15] );
496 R( a, b, c, d, e, f, g, h, K(16), M(16) );
497 R( h, a, b, c, d, e, f, g, K(17), M(17) );
498 R( g, h, a, b, c, d, e, f, K(18), M(18) );
499 R( f, g, h, a, b, c, d, e, K(19), M(19) );
500 R( e, f, g, h, a, b, c, d, K(20), M(20) );
501 R( d, e, f, g, h, a, b, c, K(21), M(21) );
502 R( c, d, e, f, g, h, a, b, K(22), M(22) );
503 R( b, c, d, e, f, g, h, a, K(23), M(23) );
504 R( a, b, c, d, e, f, g, h, K(24), M(24) );
505 R( h, a, b, c, d, e, f, g, K(25), M(25) );
506 R( g, h, a, b, c, d, e, f, K(26), M(26) );
507 R( f, g, h, a, b, c, d, e, K(27), M(27) );
508 R( e, f, g, h, a, b, c, d, K(28), M(28) );
509 R( d, e, f, g, h, a, b, c, K(29), M(29) );
510 R( c, d, e, f, g, h, a, b, K(30), M(30) );
511 R( b, c, d, e, f, g, h, a, K(31), M(31) );
512 R( a, b, c, d, e, f, g, h, K(32), M(32) );
513 R( h, a, b, c, d, e, f, g, K(33), M(33) );
514 R( g, h, a, b, c, d, e, f, K(34), M(34) );
515 R( f, g, h, a, b, c, d, e, K(35), M(35) );
516 R( e, f, g, h, a, b, c, d, K(36), M(36) );
517 R( d, e, f, g, h, a, b, c, K(37), M(37) );
518 R( c, d, e, f, g, h, a, b, K(38), M(38) );
519 R( b, c, d, e, f, g, h, a, K(39), M(39) );
520 R( a, b, c, d, e, f, g, h, K(40), M(40) );
521 R( h, a, b, c, d, e, f, g, K(41), M(41) );
522 R( g, h, a, b, c, d, e, f, K(42), M(42) );
523 R( f, g, h, a, b, c, d, e, K(43), M(43) );
524 R( e, f, g, h, a, b, c, d, K(44), M(44) );
525 R( d, e, f, g, h, a, b, c, K(45), M(45) );
526 R( c, d, e, f, g, h, a, b, K(46), M(46) );
527 R( b, c, d, e, f, g, h, a, K(47), M(47) );
528 R( a, b, c, d, e, f, g, h, K(48), M(48) );
529 R( h, a, b, c, d, e, f, g, K(49), M(49) );
530 R( g, h, a, b, c, d, e, f, K(50), M(50) );
531 R( f, g, h, a, b, c, d, e, K(51), M(51) );
532 R( e, f, g, h, a, b, c, d, K(52), M(52) );
533 R( d, e, f, g, h, a, b, c, K(53), M(53) );
534 R( c, d, e, f, g, h, a, b, K(54), M(54) );
535 R( b, c, d, e, f, g, h, a, K(55), M(55) );
536 R( a, b, c, d, e, f, g, h, K(56), M(56) );
537 R( h, a, b, c, d, e, f, g, K(57), M(57) );
538 R( g, h, a, b, c, d, e, f, K(58), M(58) );
539 R( f, g, h, a, b, c, d, e, K(59), M(59) );
540 R( e, f, g, h, a, b, c, d, K(60), M(60) );
541 R( d, e, f, g, h, a, b, c, K(61), M(61) );
542 R( c, d, e, f, g, h, a, b, K(62), M(62) );
543 R( b, c, d, e, f, g, h, a, K(63), M(63) );
544
545 a = ctx->state[0] += a;
546 b = ctx->state[1] += b;
547 c = ctx->state[2] += c;
548 d = ctx->state[3] += d;
549 e = ctx->state[4] += e;
550 f = ctx->state[5] += f;
551 g = ctx->state[6] += g;
552 h = ctx->state[7] += h;
553 }
554 }
LEDE fork of Opkg