search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix bug #9495 with cursor positioning on truncated lines.
[emacs.git] / lib / sha256.c
blobc125542248bc98ea80408c9b7fc4713bc45472da
1 /* sha256.c - Functions to compute SHA256 and SHA224 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
3
4 Copyright (C) 2005-2006, 2008-2011 Free Software Foundation, Inc.
5
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>. */
18
19 /* Written by David Madore, considerably copypasting from
20 Scott G. Miller's sha1.c
21 */
22
23 #include <config.h>
24
25 #include "sha256.h"
26
27 #include <stddef.h>
28 #include <stdlib.h>
29 #include <string.h>
30
31 #if USE_UNLOCKED_IO
32 # include "unlocked-io.h"
33 #endif
34
35 #ifdef WORDS_BIGENDIAN
36 # define SWAP(n) (n)
37 #else
38 # define SWAP(n) \
39 (((n) << 24) | (((n) & 0xff00) << 8) | (((n) >> 8) & 0xff00) | ((n) >> 24))
40 #endif
41
42 #define BLOCKSIZE 32768
43 #if BLOCKSIZE % 64 != 0
44 # error "invalid BLOCKSIZE"
45 #endif
46
47 /* This array contains the bytes used to pad the buffer to the next
48 64-byte boundary. */
49 static const unsigned char fillbuf[64] = { 0x80, 0 /* , 0, 0, ... */ };
50
51
52 /*
53 Takes a pointer to a 256 bit block of data (eight 32 bit ints) and
54 intializes it to the start constants of the SHA256 algorithm. This
55 must be called before using hash in the call to sha256_hash
56 */
57 void
58 sha256_init_ctx (struct sha256_ctx *ctx)
59 {
60 ctx->state[0] = 0x6a09e667UL;
61 ctx->state[1] = 0xbb67ae85UL;
62 ctx->state[2] = 0x3c6ef372UL;
63 ctx->state[3] = 0xa54ff53aUL;
64 ctx->state[4] = 0x510e527fUL;
65 ctx->state[5] = 0x9b05688cUL;
66 ctx->state[6] = 0x1f83d9abUL;
67 ctx->state[7] = 0x5be0cd19UL;
68
69 ctx->total[0] = ctx->total[1] = 0;
70 ctx->buflen = 0;
71 }
72
73 void
74 sha224_init_ctx (struct sha256_ctx *ctx)
75 {
76 ctx->state[0] = 0xc1059ed8UL;
77 ctx->state[1] = 0x367cd507UL;
78 ctx->state[2] = 0x3070dd17UL;
79 ctx->state[3] = 0xf70e5939UL;
80 ctx->state[4] = 0xffc00b31UL;
81 ctx->state[5] = 0x68581511UL;
82 ctx->state[6] = 0x64f98fa7UL;
83 ctx->state[7] = 0xbefa4fa4UL;
84
85 ctx->total[0] = ctx->total[1] = 0;
86 ctx->buflen = 0;
87 }
88
89 /* Copy the value from v into the memory location pointed to by *cp,
90 If your architecture allows unaligned access this is equivalent to
91 * (uint32_t *) cp = v */
92 static inline void
93 set_uint32 (char *cp, uint32_t v)
94 {
95 memcpy (cp, &v, sizeof v);
96 }
97
98 /* Put result from CTX in first 32 bytes following RESBUF. The result
99 must be in little endian byte order. */
100 void *
101 sha256_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
102 {
103 int i;
104 char *r = resbuf;
105
106 for (i = 0; i < 8; i++)
107 set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
108
109 return resbuf;
110 }
111
112 void *
113 sha224_read_ctx (const struct sha256_ctx *ctx, void *resbuf)
114 {
115 int i;
116 char *r = resbuf;
117
118 for (i = 0; i < 7; i++)
119 set_uint32 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
120
121 return resbuf;
122 }
123
124 /* Process the remaining bytes in the internal buffer and the usual
125 prolog according to the standard and write the result to RESBUF. */
126 static void
127 sha256_conclude_ctx (struct sha256_ctx *ctx)
128 {
129 /* Take yet unprocessed bytes into account. */
130 size_t bytes = ctx->buflen;
131 size_t size = (bytes < 56) ? 64 / 4 : 64 * 2 / 4;
132
133 /* Now count remaining bytes. */
134 ctx->total[0] += bytes;
135 if (ctx->total[0] < bytes)
136 ++ctx->total[1];
137
138 /* Put the 64-bit file length in *bits* at the end of the buffer.
139 Use set_uint32 rather than a simple assignment, to avoid risk of
140 unaligned access. */
141 set_uint32 ((char *) &ctx->buffer[size - 2],
142 SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 29)));
143 set_uint32 ((char *) &ctx->buffer[size - 1],
144 SWAP (ctx->total[0] << 3));
145
146 memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 4 - bytes);
147
148 /* Process last bytes. */
149 sha256_process_block (ctx->buffer, size * 4, ctx);
150 }
151
152 void *
153 sha256_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
154 {
155 sha256_conclude_ctx (ctx);
156 return sha256_read_ctx (ctx, resbuf);
157 }
158
159 void *
160 sha224_finish_ctx (struct sha256_ctx *ctx, void *resbuf)
161 {
162 sha256_conclude_ctx (ctx);
163 return sha224_read_ctx (ctx, resbuf);
164 }
165
166 /* Compute SHA256 message digest for bytes read from STREAM. The
167 resulting message digest number will be written into the 32 bytes
168 beginning at RESBLOCK. */
169 int
170 sha256_stream (FILE *stream, void *resblock)
171 {
172 struct sha256_ctx ctx;
173 size_t sum;
174
175 char *buffer = malloc (BLOCKSIZE + 72);
176 if (!buffer)
177 return 1;
178
179 /* Initialize the computation context. */
180 sha256_init_ctx (&ctx);
181
182 /* Iterate over full file contents. */
183 while (1)
184 {
185 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
186 computation function processes the whole buffer so that with the
187 next round of the loop another block can be read. */
188 size_t n;
189 sum = 0;
190
191 /* Read block. Take care for partial reads. */
192 while (1)
193 {
194 n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
195
196 sum += n;
197
198 if (sum == BLOCKSIZE)
199 break;
200
201 if (n == 0)
202 {
203 /* Check for the error flag IFF N == 0, so that we don't
204 exit the loop after a partial read due to e.g., EAGAIN
205 or EWOULDBLOCK. */
206 if (ferror (stream))
207 {
208 free (buffer);
209 return 1;
210 }
211 goto process_partial_block;
212 }
213
214 /* We've read at least one byte, so ignore errors. But always
215 check for EOF, since feof may be true even though N > 0.
216 Otherwise, we could end up calling fread after EOF. */
217 if (feof (stream))
218 goto process_partial_block;
219 }
220
221 /* Process buffer with BLOCKSIZE bytes. Note that
222 BLOCKSIZE % 64 == 0
223 */
224 sha256_process_block (buffer, BLOCKSIZE, &ctx);
225 }
226
227 process_partial_block:;
228
229 /* Process any remaining bytes. */
230 if (sum > 0)
231 sha256_process_bytes (buffer, sum, &ctx);
232
233 /* Construct result in desired memory. */
234 sha256_finish_ctx (&ctx, resblock);
235 free (buffer);
236 return 0;
237 }
238
239 /* FIXME: Avoid code duplication */
240 int
241 sha224_stream (FILE *stream, void *resblock)
242 {
243 struct sha256_ctx ctx;
244 size_t sum;
245
246 char *buffer = malloc (BLOCKSIZE + 72);
247 if (!buffer)
248 return 1;
249
250 /* Initialize the computation context. */
251 sha224_init_ctx (&ctx);
252
253 /* Iterate over full file contents. */
254 while (1)
255 {
256 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
257 computation function processes the whole buffer so that with the
258 next round of the loop another block can be read. */
259 size_t n;
260 sum = 0;
261
262 /* Read block. Take care for partial reads. */
263 while (1)
264 {
265 n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
266
267 sum += n;
268
269 if (sum == BLOCKSIZE)
270 break;
271
272 if (n == 0)
273 {
274 /* Check for the error flag IFF N == 0, so that we don't
275 exit the loop after a partial read due to e.g., EAGAIN
276 or EWOULDBLOCK. */
277 if (ferror (stream))
278 {
279 free (buffer);
280 return 1;
281 }
282 goto process_partial_block;
283 }
284
285 /* We've read at least one byte, so ignore errors. But always
286 check for EOF, since feof may be true even though N > 0.
287 Otherwise, we could end up calling fread after EOF. */
288 if (feof (stream))
289 goto process_partial_block;
290 }
291
292 /* Process buffer with BLOCKSIZE bytes. Note that
293 BLOCKSIZE % 64 == 0
294 */
295 sha256_process_block (buffer, BLOCKSIZE, &ctx);
296 }
297
298 process_partial_block:;
299
300 /* Process any remaining bytes. */
301 if (sum > 0)
302 sha256_process_bytes (buffer, sum, &ctx);
303
304 /* Construct result in desired memory. */
305 sha224_finish_ctx (&ctx, resblock);
306 free (buffer);
307 return 0;
308 }
309
310 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The
311 result is always in little endian byte order, so that a byte-wise
312 output yields to the wanted ASCII representation of the message
313 digest. */
314 void *
315 sha256_buffer (const char *buffer, size_t len, void *resblock)
316 {
317 struct sha256_ctx ctx;
318
319 /* Initialize the computation context. */
320 sha256_init_ctx (&ctx);
321
322 /* Process whole buffer but last len % 64 bytes. */
323 sha256_process_bytes (buffer, len, &ctx);
324
325 /* Put result in desired memory area. */
326 return sha256_finish_ctx (&ctx, resblock);
327 }
328
329 void *
330 sha224_buffer (const char *buffer, size_t len, void *resblock)
331 {
332 struct sha256_ctx ctx;
333
334 /* Initialize the computation context. */
335 sha224_init_ctx (&ctx);
336
337 /* Process whole buffer but last len % 64 bytes. */
338 sha256_process_bytes (buffer, len, &ctx);
339
340 /* Put result in desired memory area. */
341 return sha224_finish_ctx (&ctx, resblock);
342 }
343
344 void
345 sha256_process_bytes (const void *buffer, size_t len, struct sha256_ctx *ctx)
346 {
347 /* When we already have some bits in our internal buffer concatenate
348 both inputs first. */
349 if (ctx->buflen != 0)
350 {
351 size_t left_over = ctx->buflen;
352 size_t add = 128 - left_over > len ? len : 128 - left_over;
353
354 memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
355 ctx->buflen += add;
356
357 if (ctx->buflen > 64)
358 {
359 sha256_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
360
361 ctx->buflen &= 63;
362 /* The regions in the following copy operation cannot overlap. */
363 memcpy (ctx->buffer,
364 &((char *) ctx->buffer)[(left_over + add) & ~63],
365 ctx->buflen);
366 }
367
368 buffer = (const char *) buffer + add;
369 len -= add;
370 }
371
372 /* Process available complete blocks. */
373 if (len >= 64)
374 {
375 #if !_STRING_ARCH_unaligned
376 # define alignof(type) offsetof (struct { char c; type x; }, x)
377 # define UNALIGNED_P(p) (((size_t) p) % alignof (uint32_t) != 0)
378 if (UNALIGNED_P (buffer))
379 while (len > 64)
380 {
381 sha256_process_block (memcpy (ctx->buffer, buffer, 64), 64, ctx);
382 buffer = (const char *) buffer + 64;
383 len -= 64;
384 }
385 else
386 #endif
387 {
388 sha256_process_block (buffer, len & ~63, ctx);
389 buffer = (const char *) buffer + (len & ~63);
390 len &= 63;
391 }
392 }
393
394 /* Move remaining bytes in internal buffer. */
395 if (len > 0)
396 {
397 size_t left_over = ctx->buflen;
398
399 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
400 left_over += len;
401 if (left_over >= 64)
402 {
403 sha256_process_block (ctx->buffer, 64, ctx);
404 left_over -= 64;
405 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
406 }
407 ctx->buflen = left_over;
408 }
409 }
410
411 /* --- Code below is the primary difference between sha1.c and sha256.c --- */
412
413 /* SHA256 round constants */
414 #define K(I) sha256_round_constants[I]
415 static const uint32_t sha256_round_constants[64] = {
416 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
417 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
418 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
419 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
420 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
421 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
422 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
423 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
424 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
425 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
426 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
427 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
428 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
429 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
430 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
431 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
432 };
433
434 /* Round functions. */
435 #define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) )
436 #define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) )
437
438 /* Process LEN bytes of BUFFER, accumulating context into CTX.
439 It is assumed that LEN % 64 == 0.
440 Most of this code comes from GnuPG's cipher/sha1.c. */
441
442 void
443 sha256_process_block (const void *buffer, size_t len, struct sha256_ctx *ctx)
444 {
445 const uint32_t *words = buffer;
446 size_t nwords = len / sizeof (uint32_t);
447 const uint32_t *endp = words + nwords;
448 uint32_t x[16];
449 uint32_t a = ctx->state[0];
450 uint32_t b = ctx->state[1];
451 uint32_t c = ctx->state[2];
452 uint32_t d = ctx->state[3];
453 uint32_t e = ctx->state[4];
454 uint32_t f = ctx->state[5];
455 uint32_t g = ctx->state[6];
456 uint32_t h = ctx->state[7];
457
458 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
459 length of the file up to 2^64 bits. Here we only compute the
460 number of bytes. Do a double word increment. */
461 ctx->total[0] += len;
462 if (ctx->total[0] < len)
463 ++ctx->total[1];
464
465 #define rol(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
466 #define S0(x) (rol(x,25)^rol(x,14)^(x>>3))
467 #define S1(x) (rol(x,15)^rol(x,13)^(x>>10))
468 #define SS0(x) (rol(x,30)^rol(x,19)^rol(x,10))
469 #define SS1(x) (rol(x,26)^rol(x,21)^rol(x,7))
470
471 #define M(I) ( tm = S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \
472 + S0(x[(I-15)&0x0f]) + x[I&0x0f] \
473 , x[I&0x0f] = tm )
474
475 #define R(A,B,C,D,E,F,G,H,K,M) do { t0 = SS0(A) + F2(A,B,C); \
476 t1 = H + SS1(E) \
477 + F1(E,F,G) \
478 + K \
479 + M; \
480 D += t1; H = t0 + t1; \
481 } while(0)
482
483 while (words < endp)
484 {
485 uint32_t tm;
486 uint32_t t0, t1;
487 int t;
488 /* FIXME: see sha1.c for a better implementation. */
489 for (t = 0; t < 16; t++)
490 {
491 x[t] = SWAP (*words);
492 words++;
493 }
494
495 R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
496 R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
497 R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
498 R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
499 R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
500 R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
501 R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
502 R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
503 R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
504 R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
505 R( g, h, a, b, c, d, e, f, K(10), x[10] );
506 R( f, g, h, a, b, c, d, e, K(11), x[11] );
507 R( e, f, g, h, a, b, c, d, K(12), x[12] );
508 R( d, e, f, g, h, a, b, c, K(13), x[13] );
509 R( c, d, e, f, g, h, a, b, K(14), x[14] );
510 R( b, c, d, e, f, g, h, a, K(15), x[15] );
511 R( a, b, c, d, e, f, g, h, K(16), M(16) );
512 R( h, a, b, c, d, e, f, g, K(17), M(17) );
513 R( g, h, a, b, c, d, e, f, K(18), M(18) );
514 R( f, g, h, a, b, c, d, e, K(19), M(19) );
515 R( e, f, g, h, a, b, c, d, K(20), M(20) );
516 R( d, e, f, g, h, a, b, c, K(21), M(21) );
517 R( c, d, e, f, g, h, a, b, K(22), M(22) );
518 R( b, c, d, e, f, g, h, a, K(23), M(23) );
519 R( a, b, c, d, e, f, g, h, K(24), M(24) );
520 R( h, a, b, c, d, e, f, g, K(25), M(25) );
521 R( g, h, a, b, c, d, e, f, K(26), M(26) );
522 R( f, g, h, a, b, c, d, e, K(27), M(27) );
523 R( e, f, g, h, a, b, c, d, K(28), M(28) );
524 R( d, e, f, g, h, a, b, c, K(29), M(29) );
525 R( c, d, e, f, g, h, a, b, K(30), M(30) );
526 R( b, c, d, e, f, g, h, a, K(31), M(31) );
527 R( a, b, c, d, e, f, g, h, K(32), M(32) );
528 R( h, a, b, c, d, e, f, g, K(33), M(33) );
529 R( g, h, a, b, c, d, e, f, K(34), M(34) );
530 R( f, g, h, a, b, c, d, e, K(35), M(35) );
531 R( e, f, g, h, a, b, c, d, K(36), M(36) );
532 R( d, e, f, g, h, a, b, c, K(37), M(37) );
533 R( c, d, e, f, g, h, a, b, K(38), M(38) );
534 R( b, c, d, e, f, g, h, a, K(39), M(39) );
535 R( a, b, c, d, e, f, g, h, K(40), M(40) );
536 R( h, a, b, c, d, e, f, g, K(41), M(41) );
537 R( g, h, a, b, c, d, e, f, K(42), M(42) );
538 R( f, g, h, a, b, c, d, e, K(43), M(43) );
539 R( e, f, g, h, a, b, c, d, K(44), M(44) );
540 R( d, e, f, g, h, a, b, c, K(45), M(45) );
541 R( c, d, e, f, g, h, a, b, K(46), M(46) );
542 R( b, c, d, e, f, g, h, a, K(47), M(47) );
543 R( a, b, c, d, e, f, g, h, K(48), M(48) );
544 R( h, a, b, c, d, e, f, g, K(49), M(49) );
545 R( g, h, a, b, c, d, e, f, K(50), M(50) );
546 R( f, g, h, a, b, c, d, e, K(51), M(51) );
547 R( e, f, g, h, a, b, c, d, K(52), M(52) );
548 R( d, e, f, g, h, a, b, c, K(53), M(53) );
549 R( c, d, e, f, g, h, a, b, K(54), M(54) );
550 R( b, c, d, e, f, g, h, a, K(55), M(55) );
551 R( a, b, c, d, e, f, g, h, K(56), M(56) );
552 R( h, a, b, c, d, e, f, g, K(57), M(57) );
553 R( g, h, a, b, c, d, e, f, K(58), M(58) );
554 R( f, g, h, a, b, c, d, e, K(59), M(59) );
555 R( e, f, g, h, a, b, c, d, K(60), M(60) );
556 R( d, e, f, g, h, a, b, c, K(61), M(61) );
557 R( c, d, e, f, g, h, a, b, K(62), M(62) );
558 R( b, c, d, e, f, g, h, a, K(63), M(63) );
559
560 a = ctx->state[0] += a;
561 b = ctx->state[1] += b;
562 c = ctx->state[2] += c;
563 d = ctx->state[3] += d;
564 e = ctx->state[4] += e;
565 f = ctx->state[5] += f;
566 g = ctx->state[6] += g;
567 h = ctx->state[7] += h;
568 }
569 }
Emacs repository mirror