projects / project / opkg-lede.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
libopkg: do not clobber package flags during parsing
[project/opkg-lede.git] / libopkg / sha256.c
1 /* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
3
4 Copyright (C) 2005, 2006, 2008 Free Software Foundation, Inc.
5
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>. */
18
19 /* Written by David Madore, considerably copypasting from
20 Scott G. Miller's sha1.c
21 */
22
23 #include <config.h>
24
25 #include "sha256.h"
26
27 #include <stddef.h>
28 #include <string.h>
29
30 #if USE_UNLOCKED_IO
31 #include "unlocked-io.h"
32 #endif
33
34 #ifdef WORDS_BIGENDIAN
35 #define SWAP(n) (n)
36 #else
37 #define SWAP(n) \
38 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
39 #endif
40
41 #define BLOCKSIZE 4096
42 #if BLOCKSIZE % 64 != 0
43 #error "invalid BLOCKSIZE"
44 #endif
45
46 /* This array contains the bytes used to pad the buffer to the next
47 64-byte boundary. */
48 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
49
50 /*
51 Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
52 intializes it to the start constants of the SHA256 algorithm. This
53 must be called before using hash in the call to sha256_hash
54 */
55 void sha256_init_ctx(struct sha256_ctx *ctx)
56 {
57 ctx->state[0] = 0x6a09e667UL;
58 ctx->state[1] = 0xbb67ae85UL;
59 ctx->state[2] = 0x3c6ef372UL;
60 ctx->state[3] = 0xa54ff53aUL;
61 ctx->state[4] = 0x510e527fUL;
62 ctx->state[5] = 0x9b05688cUL;
63 ctx->state[6] = 0x1f83d9abUL;
64 ctx->state[7] = 0x5be0cd19UL;
65
66 ctx->total[0] = ctx->total[1] = 0;
67 ctx->buflen = 0;
68 }
69
70 void sha224_init_ctx(struct sha256_ctx *ctx)
71 {
72 ctx->state[0] = 0xc1059ed8UL;
73 ctx->state[1] = 0x367cd507UL;
74 ctx->state[2] = 0x3070dd17UL;
75 ctx->state[3] = 0xf70e5939UL;
76 ctx->state[4] = 0xffc00b31UL;
77 ctx->state[5] = 0x68581511UL;
78 ctx->state[6] = 0x64f98fa7UL;
79 ctx->state[7] = 0xbefa4fa4UL;
80
81 ctx->total[0] = ctx->total[1] = 0;
82 ctx->buflen = 0;
83 }
84
85 /* Copy the value from v into the memory location pointed to by *cp,
86 If your architecture allows unaligned access this is equivalent to
87 * (uint32_t *) cp = v */
88 static inline void set_uint32(char *cp, uint32_t v)
89 {
90 memcpy(cp, &v, sizeof v);
91 }
92
93 /* Put result from CTX in first 32 bytes following RESBUF. The result
94 must be in little endian byte order. */
95 void *sha256_read_ctx(const struct sha256_ctx *ctx, void *resbuf)
96 {
97 int i;
98 char *r = resbuf;
99
100 for (i = 0; i < 8; i++)
101 set_uint32(r + i * sizeof ctx->state[0], SWAP(ctx->state[i]));
102
103 return resbuf;
104 }
105
106 void *sha224_read_ctx(const struct sha256_ctx *ctx, void *resbuf)
107 {
108 int i;
109 char *r = resbuf;
110
111 for (i = 0; i < 7; i++)
112 set_uint32(r + i * sizeof ctx->state[0], SWAP(ctx->state[i]));
113
114 return resbuf;
115 }
116
117 /* Process the remaining bytes in the internal buffer and the usual
118 prolog according to the standard and write the result to RESBUF. */
119 static void sha256_conclude_ctx(struct sha256_ctx *ctx)
120 {
121 /* Take yet unprocessed bytes into account. */
122 size_t bytes = ctx->buflen;
123 size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
124
125 /* Now count remaining bytes. */
126 ctx->total[0] += bytes;
127 if (ctx->total[0] < bytes)
128 ++ctx->total[1];
129
130 /* Put the 64-bit file length in *bits* at the end of the buffer.
131 Use set_uint32 rather than a simple assignment, to avoid risk of
132 unaligned access. */
133 set_uint32((char *)&ctx->buffer[size - 2],
134 SWAP((ctx->total[1] << 3) | (ctx->total[0] >> 29)));
135 set_uint32((char *)&ctx->buffer[size - 1], SWAP(ctx->total[0] << 3));
136
137 memcpy(&((char *)ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
138
139 /* Process last bytes. */
140 sha256_process_block(ctx->buffer, size * 4, ctx);
141 }
142
143 void *sha256_finish_ctx(struct sha256_ctx *ctx, void *resbuf)
144 {
145 sha256_conclude_ctx(ctx);
146 return sha256_read_ctx(ctx, resbuf);
147 }
148
149 void *sha224_finish_ctx(struct sha256_ctx *ctx, void *resbuf)
150 {
151 sha256_conclude_ctx(ctx);
152 return sha224_read_ctx(ctx, resbuf);
153 }
154
155 /* Compute SHA256 message digest for bytes read from STREAM. The
156 resulting message digest number will be written into the 32 bytes
157 beginning at RESBLOCK. */
158 int sha256_stream(FILE * stream, void *resblock)
159 {
160 struct sha256_ctx ctx;
161 char buffer[BLOCKSIZE + 72];
162 size_t sum;
163
164 /* Initialize the computation context. */
165 sha256_init_ctx(&ctx);
166
167 /* Iterate over full file contents. */
168 while (1) {
169 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
170 computation function processes the whole buffer so that with the
171 next round of the loop another block can be read. */
172 size_t n;
173 sum = 0;
174
175 /* Read block. Take care for partial reads. */
176 while (1) {
177 n = fread(buffer + sum, 1, BLOCKSIZE - sum, stream);
178
179 sum += n;
180
181 if (sum == BLOCKSIZE)
182 break;
183
184 if (n == 0) {
185 /* Check for the error flag IFF N == 0, so that we don't
186 exit the loop after a partial read due to e.g., EAGAIN
187 or EWOULDBLOCK. */
188 if (ferror(stream))
189 return 1;
190 goto process_partial_block;
191 }
192
193 /* We've read at least one byte, so ignore errors. But always
194 check for EOF, since feof may be true even though N > 0.
195 Otherwise, we could end up calling fread after EOF. */
196 if (feof(stream))
197 goto process_partial_block;
198 }
199
200 /* Process buffer with BLOCKSIZE bytes. Note that
201 BLOCKSIZE % 64 == 0
202 */
203 sha256_process_block(buffer, BLOCKSIZE, &ctx);
204 }
205
206 process_partial_block:;
207
208 /* Process any remaining bytes. */
209 if (sum > 0)
210 sha256_process_bytes(buffer, sum, &ctx);
211
212 /* Construct result in desired memory. */
213 sha256_finish_ctx(&ctx, resblock);
214 return 0;
215 }
216
217 /* FIXME: Avoid code duplication */
218 int sha224_stream(FILE * stream, void *resblock)
219 {
220 struct sha256_ctx ctx;
221 char buffer[BLOCKSIZE + 72];
222 size_t sum;
223
224 /* Initialize the computation context. */
225 sha224_init_ctx(&ctx);
226
227 /* Iterate over full file contents. */
228 while (1) {
229 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
230 computation function processes the whole buffer so that with the
231 next round of the loop another block can be read. */
232 size_t n;
233 sum = 0;
234
235 /* Read block. Take care for partial reads. */
236 while (1) {
237 n = fread(buffer + sum, 1, BLOCKSIZE - sum, stream);
238
239 sum += n;
240
241 if (sum == BLOCKSIZE)
242 break;
243
244 if (n == 0) {
245 /* Check for the error flag IFF N == 0, so that we don't
246 exit the loop after a partial read due to e.g., EAGAIN
247 or EWOULDBLOCK. */
248 if (ferror(stream))
249 return 1;
250 goto process_partial_block;
251 }
252
253 /* We've read at least one byte, so ignore errors. But always
254 check for EOF, since feof may be true even though N > 0.
255 Otherwise, we could end up calling fread after EOF. */
256 if (feof(stream))
257 goto process_partial_block;
258 }
259
260 /* Process buffer with BLOCKSIZE bytes. Note that
261 BLOCKSIZE % 64 == 0
262 */
263 sha256_process_block(buffer, BLOCKSIZE, &ctx);
264 }
265
266 process_partial_block:;
267
268 /* Process any remaining bytes. */
269 if (sum > 0)
270 sha256_process_bytes(buffer, sum, &ctx);
271
272 /* Construct result in desired memory. */
273 sha224_finish_ctx(&ctx, resblock);
274 return 0;
275 }
276
277 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The
278 result is always in little endian byte order, so that a byte-wise
279 output yields to the wanted ASCII representation of the message
280 digest. */
281 void *sha256_buffer(const char *buffer, size_t len, void *resblock)
282 {
283 struct sha256_ctx ctx;
284
285 /* Initialize the computation context. */
286 sha256_init_ctx(&ctx);
287
288 /* Process whole buffer but last len % 64 bytes. */
289 sha256_process_bytes(buffer, len, &ctx);
290
291 /* Put result in desired memory area. */
292 return sha256_finish_ctx(&ctx, resblock);
293 }
294
295 void *sha224_buffer(const char *buffer, size_t len, void *resblock)
296 {
297 struct sha256_ctx ctx;
298
299 /* Initialize the computation context. */
300 sha224_init_ctx(&ctx);
301
302 /* Process whole buffer but last len % 64 bytes. */
303 sha256_process_bytes(buffer, len, &ctx);
304
305 /* Put result in desired memory area. */
306 return sha224_finish_ctx(&ctx, resblock);
307 }
308
309 void
310 sha256_process_bytes(const void *buffer, size_t len, struct sha256_ctx *ctx)
311 {
312 /* When we already have some bits in our internal buffer concatenate
313 both inputs first. */
314 if (ctx->buflen != 0) {
315 size_t left_over = ctx->buflen;
316 size_t add = 128 - left_over > len ? len : 128 - left_over;
317
318 memcpy(&((char *)ctx->buffer)[left_over], buffer, add);
319 ctx->buflen += add;
320
321 if (ctx->buflen > 64) {
322 sha256_process_block(ctx->buffer, ctx->buflen & ~63,
323 ctx);
324
325 ctx->buflen &= 63;
326 /* The regions in the following copy operation cannot overlap. */
327 memcpy(ctx->buffer,
328 &((char *)ctx->buffer)[(left_over + add) & ~63],
329 ctx->buflen);
330 }
331
332 buffer = (const char *)buffer + add;
333 len -= add;
334 }
335
336 /* Process available complete blocks. */
337 if (len >= 64) {
338 #if !_STRING_ARCH_unaligned
339 #define alignof(type) offsetof (struct { char c; type x; }, x)
340 #define UNALIGNED_P(p) (((size_t) p) % alignof (uint32_t) != 0)
341 if (UNALIGNED_P(buffer))
342 while (len > 64) {
343 sha256_process_block(memcpy
344 (ctx->buffer, buffer, 64),
345 64, ctx);
346 buffer = (const char *)buffer + 64;
347 len -= 64;
348 } else
349 #endif
350 {
351 sha256_process_block(buffer, len & ~63, ctx);
352 buffer = (const char *)buffer + (len & ~63);
353 len &= 63;
354 }
355 }
356
357 /* Move remaining bytes in internal buffer. */
358 if (len > 0) {
359 size_t left_over = ctx->buflen;
360
361 memcpy(&((char *)ctx->buffer)[left_over], buffer, len);
362 left_over += len;
363 if (left_over >= 64) {
364 sha256_process_block(ctx->buffer, 64, ctx);
365 left_over -= 64;
366 memcpy(ctx->buffer, &ctx->buffer[16], left_over);
367 }
368 ctx->buflen = left_over;
369 }
370 }
371
372 /* --- Code below is the primary difference between sha1.c and sha256.c --- */
373
374 /* SHA256 round constants */
375 #define K(I) sha256_round_constants[I]
376 static const uint32_t sha256_round_constants[64] = {
377 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
378 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
379 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
380 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
381 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
382 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
383 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
384 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
385 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
386 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
387 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
388 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
389 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
390 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
391 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
392 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
393 };
394
395 /* Round functions. */
396 #define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) )
397 #define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) )
398
399 /* Process LEN bytes of BUFFER, accumulating context into CTX.
400 It is assumed that LEN % 64 == 0.
401 Most of this code comes from GnuPG's cipher/sha1.c. */
402
403 void
404 sha256_process_block(const void *buffer, size_t len, struct sha256_ctx *ctx)
405 {
406 const uint32_t *words = buffer;
407 size_t nwords = len / sizeof(uint32_t);
408 const uint32_t *endp = words + nwords;
409 uint32_t x[16];
410 uint32_t a = ctx->state[0];
411 uint32_t b = ctx->state[1];
412 uint32_t c = ctx->state[2];
413 uint32_t d = ctx->state[3];
414 uint32_t e = ctx->state[4];
415 uint32_t f = ctx->state[5];
416 uint32_t g = ctx->state[6];
417 uint32_t h = ctx->state[7];
418
419 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
420 length of the file up to 2^64 bits. Here we only compute the
421 number of bytes. Do a double word increment. */
422 ctx->total[0] += len;
423 if (ctx->total[0] < len)
424 ++ctx->total[1];
425
426 #define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
427 #define S0(x) (rol(x,25)^rol(x,14)^(x>>3))
428 #define S1(x) (rol(x,15)^rol(x,13)^(x>>10))
429 #define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10))
430 #define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7))
431
432 #define M(I) ( tm = S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \
433 + S0(x[(I-15)&0x0f]) + x[I&0x0f] \
434 , x[I&0x0f] = tm )
435
436 #define R(A,B,C,D,E,F,G,H,K,M) do { t0 = SS0(A) + F2(A,B,C); \
437 t1 = H + SS1(E) \
438 + F1(E,F,G) \
439 + K \
440 + M; \
441 D += t1; H = t0 + t1; \
442 } while(0)
443
444 while (words < endp) {
445 uint32_t tm;
446 uint32_t t0, t1;
447 int t;
448 /* FIXME: see sha1.c for a better implementation. */
449 for (t = 0; t < 16; t++) {
450 x[t] = SWAP(*words);
451 words++;
452 }
453
454 R(a, b, c, d, e, f, g, h, K(0), x[0]);
455 R(h, a, b, c, d, e, f, g, K(1), x[1]);
456 R(g, h, a, b, c, d, e, f, K(2), x[2]);
457 R(f, g, h, a, b, c, d, e, K(3), x[3]);
458 R(e, f, g, h, a, b, c, d, K(4), x[4]);
459 R(d, e, f, g, h, a, b, c, K(5), x[5]);
460 R(c, d, e, f, g, h, a, b, K(6), x[6]);
461 R(b, c, d, e, f, g, h, a, K(7), x[7]);
462 R(a, b, c, d, e, f, g, h, K(8), x[8]);
463 R(h, a, b, c, d, e, f, g, K(9), x[9]);
464 R(g, h, a, b, c, d, e, f, K(10), x[10]);
465 R(f, g, h, a, b, c, d, e, K(11), x[11]);
466 R(e, f, g, h, a, b, c, d, K(12), x[12]);
467 R(d, e, f, g, h, a, b, c, K(13), x[13]);
468 R(c, d, e, f, g, h, a, b, K(14), x[14]);
469 R(b, c, d, e, f, g, h, a, K(15), x[15]);
470 R(a, b, c, d, e, f, g, h, K(16), M(16));
471 R(h, a, b, c, d, e, f, g, K(17), M(17));
472 R(g, h, a, b, c, d, e, f, K(18), M(18));
473 R(f, g, h, a, b, c, d, e, K(19), M(19));
474 R(e, f, g, h, a, b, c, d, K(20), M(20));
475 R(d, e, f, g, h, a, b, c, K(21), M(21));
476 R(c, d, e, f, g, h, a, b, K(22), M(22));
477 R(b, c, d, e, f, g, h, a, K(23), M(23));
478 R(a, b, c, d, e, f, g, h, K(24), M(24));
479 R(h, a, b, c, d, e, f, g, K(25), M(25));
480 R(g, h, a, b, c, d, e, f, K(26), M(26));
481 R(f, g, h, a, b, c, d, e, K(27), M(27));
482 R(e, f, g, h, a, b, c, d, K(28), M(28));
483 R(d, e, f, g, h, a, b, c, K(29), M(29));
484 R(c, d, e, f, g, h, a, b, K(30), M(30));
485 R(b, c, d, e, f, g, h, a, K(31), M(31));
486 R(a, b, c, d, e, f, g, h, K(32), M(32));
487 R(h, a, b, c, d, e, f, g, K(33), M(33));
488 R(g, h, a, b, c, d, e, f, K(34), M(34));
489 R(f, g, h, a, b, c, d, e, K(35), M(35));
490 R(e, f, g, h, a, b, c, d, K(36), M(36));
491 R(d, e, f, g, h, a, b, c, K(37), M(37));
492 R(c, d, e, f, g, h, a, b, K(38), M(38));
493 R(b, c, d, e, f, g, h, a, K(39), M(39));
494 R(a, b, c, d, e, f, g, h, K(40), M(40));
495 R(h, a, b, c, d, e, f, g, K(41), M(41));
496 R(g, h, a, b, c, d, e, f, K(42), M(42));
497 R(f, g, h, a, b, c, d, e, K(43), M(43));
498 R(e, f, g, h, a, b, c, d, K(44), M(44));
499 R(d, e, f, g, h, a, b, c, K(45), M(45));
500 R(c, d, e, f, g, h, a, b, K(46), M(46));
501 R(b, c, d, e, f, g, h, a, K(47), M(47));
502 R(a, b, c, d, e, f, g, h, K(48), M(48));
503 R(h, a, b, c, d, e, f, g, K(49), M(49));
504 R(g, h, a, b, c, d, e, f, K(50), M(50));
505 R(f, g, h, a, b, c, d, e, K(51), M(51));
506 R(e, f, g, h, a, b, c, d, K(52), M(52));
507 R(d, e, f, g, h, a, b, c, K(53), M(53));
508 R(c, d, e, f, g, h, a, b, K(54), M(54));
509 R(b, c, d, e, f, g, h, a, K(55), M(55));
510 R(a, b, c, d, e, f, g, h, K(56), M(56));
511 R(h, a, b, c, d, e, f, g, K(57), M(57));
512 R(g, h, a, b, c, d, e, f, K(58), M(58));
513 R(f, g, h, a, b, c, d, e, K(59), M(59));
514 R(e, f, g, h, a, b, c, d, K(60), M(60));
515 R(d, e, f, g, h, a, b, c, K(61), M(61));
516 R(c, d, e, f, g, h, a, b, K(62), M(62));
517 R(b, c, d, e, f, g, h, a, K(63), M(63));
518
519 a = ctx->state[0] += a;
520 b = ctx->state[1] += b;
521 c = ctx->state[2] += c;
522 d = ctx->state[3] += d;
523 e = ctx->state[4] += e;
524 f = ctx->state[5] += f;
525 g = ctx->state[6] += g;
526 h = ctx->state[7] += h;
527 }
528 }
LEDE fork of Opkg